#!/bin/ksh # File : cdot_chk_secu-baseline_setting.ksh # By : Maarten de Boer, 100427, 161005 (copy from chk_secu-baseline_setting.ksh) # Subject : Check security setting for cDOT. Mail the output or create incident via IMI # set -x #(0.2) : Add M01 #(0.3),170523 : Mod M01, 0/0=100% #(0.4),170524 : Add M08 #(0.5),170530 : Add M03 non public IP & security login role config show, Add M07 #(0.6),170530 : Add M09 #(0.7),170601 : Mod. M08 & Add M14, M15 #(0.8),170601 : Add M16 & M07 #(0.9),170607 : Add --imi, check for clustername = hostname #(0.10),170609 : Mod's, Added CFG #(0.11),170621 : Mod's SDMGROUP, some checks #(0.12),170707 : Mod: ticket text #(0.13),170713 : Add VERBOSE at IMI #(0.14),170928 : Mod. passwd-min-len = 15 (due to new secu regulations at Atos) #(0.15),171122 : Mod. some M04 answers not OK #(0.16),190708,MdB : Updated No LUN & iSCSI check (Thanks to saran.antony@atos.net) #(0.17),200817 : Some (more) M04 answers not OK + Added some process"thing" #(0.18),200818 : Mod. M08; SDATE=`date -u +%a' '%b' '%d' '%H:%M:%S' '%Y` #(0.19),200818 : Some more mod's #(0.20),201211 : Mod. from (mail)IMI to (place file)ESB #(0.21),201214 : RCFILE added #(0.22),210119 : Some mod's for using with IMI2ESB #(0.23),210321 : Added echo with CIFSWARN & WARN to LOG #(0.24),220429 : Added --svm. Mod: DATI, grep -i everyone, remove "--no-proxy" at wget, remove ${IMI} #(0.25),230207 : Mod to 'everyone / full control', VCLUSETR => VSERVER #(0.26),231023 : Mod. RCFILE (place) #(0.27),231107 : Mod. M03 (snmp check part) #(0.28),250805 : Split MAILTO & RPT_MAILTO. Disable CFG (using RCFILE) #(0.29)xxx #(0.30),260219 : Mod. "vol show" => "volume show", Add. VOL_EXCL PGM="`basename $0|cut -d\. -f1`" VER="0.30" TMP="/tmp/${PGM}.$$" RCFILE="${HOME}/etc/${PGM}.rc" WARN="/tmp/${PGM}.warn.$$" MAIL="" MAILFILE="${TMP}.mailfile" MAILTO="maarten.deboer@atos.net" RPT_MAILTO="maarten.deboer@atos.net" HOSTNAME="`hostname|cut -d\. -f1`" CLUSTERS="${HOME}/etc/clusters" SSH="/usr/bin/ssh -n" DATI="`date +%Y-%m-%d-%H-%M-%S`" ASC="/tmp/${PGM}_${HOSTNAME}_${DATI}.asc" SSH="/usr/bin/ssh -n" CFILTER="[?]*" SFILTER="[?]*" MFILTER="M*" CFG="${HOME}/etc/${PGM}.cfg" LOG="${HOME}/log/${PGM}.log" MAXLOGSIZE=1024 # In K's IMI="" VERBOSE="" ###SDMMAIL="email@usd-prod.uk.atosorigin.com" ###SDMMAIL="prod-imi@gis.nl.ao-srv.com" SDMMAIL="ESBIncident.it-solutions@atos.net" #SDMMAIL="maarten.deboer@atos.net " SDMUSER="nl19471" SDMMSG="${TMP}.sdm" #SDMREPLYTO="maarten.deboer@atos.net" SDMREPLYTO="dlnlo-fsod@atos.net" SDMTYPE="Incident" SDMGROUP="RO.Storage.FSOD" #SDMGROUP="NL.Storage.FSOD" CSV="/tmp/${PGM}_${HOSTNAME}_${DATI}.csv" WARNCNT=0 # Warning count TTLCNT=0 # Total count TMPCSV="${TMP}.csv" CIFSWARN="/tmp/${PGM}.cifswarn.$$" EXCLUDES="${HOME}/etc/${PGM}.excludes" MAILPERCLUSTER="" VOL_EXCL="fg_oss" # FlexGroup. Introduced at object s3 usage ESB="" ORG="Atos Netherlands" REQ_TYPE="Incident" REQ_AREA="Storage;Storage;Other" #GROUP="NL.Storage.FSOD" GROUP="RO.Storage.FSOD" ESB_QUEUE="${HOME}/imi2esb/queue" ESB_USER="sdp" IMI_UPLOAD="${HOME}/imi2esb/bin/imi_upload.sh" #ESBSTAT_URL="https://btndev.sapart.atos-srv.net/ART/esbstat.pl?action=info" ESBSTAT_URL="https://btn.sapart.atos-srv.net/ART/esbstat.pl?action=info" W_SEC=30 # Needed for cDOT-CLI answers SELECT="nlnaf" # if not me (accourding to LOGNAME), then change some user related info #if [ "${LOGNAME}" != "nl19471" ]; then # MAILTO="dlnlo-fsod@atos.net" # SDMUSER="nldsm01" # SDMREPLYTO="dlnlo-fsod@atos.net" #fi # Functions SSHCMD() # 1: Filername 2:Command-string # When issue with connection to cluster, try the nodes (-01 & -02) # "There are no entries matching your query." => EC=255 # "no connection" is also EC=255 { TMPERR="/tmp/${PGM}.$$.err" /usr/bin/ssh -n ${1} "${2}" 2> ${TMPERR} EC=${?} # Check if "ssh: connect to host 10.192.109.202 port 22: Connection refused" If so (EC2=0), the 2nd grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then sleep 2 /usr/bin/ssh -n ${1}-01 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then sleep 2 /usr/bin/ssh -n ${1}-02 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then sleep 2 /usr/bin/ssh -n ${1}-03 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then echo " EC=${EC} sleep 2 ..." sleep 2 /usr/bin/ssh -n ${1}-04 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then echo " EC=${EC} sleep 2 ..." sleep 2 /usr/bin/ssh -n ${1}-05 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then echo " EC=${EC} sleep 2 ..." sleep 2 /usr/bin/ssh -n ${1}-05 "${2}" 2> ${TMPERR} EC=${?} grep 'Connection refused' ${TMPERR} EC2=${?} if [ ${EC} -ne 0 ] && [ ${EC2} -eq 0 ]; then echo " `date` ${PGM} ERROR with communication to ${1}. Connection to -01 - -06 failed too."|tee -a ${LOG} fi # EC=0 & EC2=0 fi # -06 fi # -05 fi # -04 fi # -03 fi # -02 fi # -01 rm ${TMPERR} } SEND_TO_ESB() # $1=CI, $2=TYPE, $3=text { EXT_REF="${ESB_USER}_`date +%Y%m%d%H%M%S`" TICKET="${ESB_QUEUE}/${EXT_REF}.imi" echo "@PROXYUSER:${ESB_USER}" > ${TICKET} echo "@EXTERNALREFERENCE:${EXT_REF}" >> ${TICKET} echo "@REQUESTTYPE:${2}" >> ${TICKET} echo "@SEVERITY:3" >> ${TICKET} echo "@REQUESTAREA:${REQ_AREA}" >> ${TICKET} echo "@GROUP:${GROUP}" >> ${TICKET} echo "@ORGANISATION:${ORG}" >> ${TICKET} echo "@CI:${1}" >> ${TICKET} cat ${3} >> ${TICKET} echo "" >> ${TICKET} echo "" >> ${TICKET} echo "externalreference=${EXT_REF}" >> ${TICKET} echo "" >> ${TICKET} echo "@ENDOFUSDMESSAGE:" >> ${TICKET} echo " Created IMI file ${TICKET}"|tee -a ${LOG} cp ${TICKET} ${TMP}.ticket sleep 1 echo " Sending to ESB"|tee -a ${LOG} ${TMP} ${IMI_UPLOAD} echo " Waiting (${W_SEC}sec.) for ticket info ..." sleep ${W_SEC} # wget -q --no-proxy --no-check-certificate -O ${TMP}.func ${ESBSTAT_URL} wget -q --no-check-certificate -O ${TMP}.func ${ESBSTAT_URL} TICKET_INFO=`grep ${EXT_REF} ${TMP}.func` echo " Ticket info return: ${TICKET_INFO}"|tee -a ${LOG} ${TMP} rm ${TMP}.func if [ ${MAIL} ]; then cat ${TMP}.ticket| mailx -s ":${HOSTNAME}: ESB (ticket-)message ${TICKET_INFO} [${PGM} v${VER}]" ${MAILTO} fi rm ${TMP}.ticket } # ESB #CREATE_SDM_TICKET() ## $1=Filer(CI), $2=SDMTYPE, $3=SDM-text #{ # echo "@REQUESTTYPE: ${2}" > ${SDMMSG} # echo "@REQUESTAREA: NL.Storage.StorageOnDemand" >> ${SDMMSG} # echo "@SEVERITY: 4" >> ${SDMMSG} # echo "@CI: ${1}" >> ${SDMMSG} # echo "@ORGANISATION: AtosOrigin.Netherlands" >> ${SDMMSG} # echo "@GROUP: ${SDMGROUP}" >> ${SDMMSG} # echo "@REPLYTO: ${SDMREPLYTO}" >> ${SDMMSG} # echo "@PROXYUSER: ${SDMUSER}" >> ${SDMMSG} # cat ${3} >> ${SDMMSG} # echo "[@${HOSTNAME}:${PGM} v${VER}]" >> ${SDMMSG} # echo "@ENDOFSDMMESSAGE" >> ${SDMMSG} # # cat ${SDMMSG} | mailx -s "${SDMUSER}: WARNING; Security ${2} at ${1}." ${SDMMAIL} # # echo " Mailed to SDM-IMI (${SDMMAIL})"|tee -a ${LOG} #} # Read CFG-file 1st. The options. So they can override the CFG VAR's # 250805: Disable CFG #if [ -f ${CFG} ]; then # echo " Reading ${CFG} ..."|tee -a ${LOG} # cat ${CFG}|grep -v ^#|while read LINE # do # echo ${LINE} # ANSW=`echo ${LINE}|grep CLUSTERS|cut -d\= -f2` # if [ "${ANSW}" != "" ]; then # CLUSTERS="${ANSW}" # fi # ANSW=`echo ${LINE}|grep CFILTER|cut -d\= -f2` # if [ "${ANSW}" != "" ]; then # CFILTER="${ANSW}" # fi # ANSW=`echo ${LINE}|grep MAILTO|cut -d\= -f2` # if [ "${ANSW}" != "" ]; then # MAILTO="${ANSW}" # fi # ANSW=`echo ${LINE}|grep RPT_MAILTO|cut -d\= -f2` # if [ "${ANSW}" != "" ]; then # RPT_MAILTO="${ANSW}" # fi # ANSW=`echo ${LINE}|grep EXLUDES|cut -d\= -f2` # if [ "${ANSW}" != "" ]; then # EXLUDES="${ANSW}" # fi # done # cat #fi # -f CFG USAGE() { echo "Usage: ${PGM} " echo " Version: ${VER}" echo " options :" echo " -e|--etc : Etc/filers-file (${CLUSTERS})" echo " -c|--cluster : Cluster filter (${CFILTER})" echo " -s|--svm : SVM filter (${SFILTER})" echo " -h|--help : this Help" echo " --esb : create tickets for SNOW via ESB (imi2esb/)" echo " -i|--imi : do send to SDM via IMI" echo " -m|--mail : do send Mail" echo " -v : Verbose (mailing IMI messages to ${MAILTO})" echo " -V : show Version" echo " -x : set -x" echo " --mailto : change MAILTO address & do send mail (${MAILTO})" echo " --rpt_mailto : change MAILTO address & do send mail for RePorT-part (${RPT_MAILTO})" echo " --mpf : MailPerFiler (normaly all filers in 1 mail)" echo " --m-nrs : filter M-numbers (${MFILTER})" } if [ -f ${RCFILE} ]; then echo " RCFILE (${RCFILE}) found. Using it"|tee -a ${LOG} . ${RCFILE} fi ## MAIN # Check options if [ $# -eq 0 ]; then echo "No option(s) given. So not to know what to do. Exiting..."; echo; USAGE; exit 1 fi while [ $# -gt 0 ] do case $1 in --m-nrs) MFILTER=$2; shift ;; -c | --clusters) CFILTER=$2; shift ;; -s | --svm) SFILTER=$2; shift ;; -m | --mail) MAIL=1 ;; -e | --etc) CLUSTERS=$2; shift ;; --mailto) MAILTO="${2}"; MAIL=1; shift ;; --rpt_mailto) RPT_MAILTO="${2}"; MAIL=1; shift ;; --mpf) MAILPERCLUSTER=1;; --esb) ESB=1;; -i | --imi) IMI=1;; -h | --help) USAGE; exit 1 ;; -v) VERBOSE=1;; -V) echo "${PGM}: v${VER}"; exit 3 ;; -x) set -x ;; *) echo "Option ${1} not known. Exiting..."; echo; USAGE; exit 1 ;; esac shift done echo "`date` ${PGM} (v$VER) started."|tee -a ${LOG} echo "ETC=${ETC}" echo "EXCLUDES=${EXCLUDES}" echo "CFILTER=${CFILTER}" echo "MAIL=${MAIL}" echo "MAILTO=${MAILTO}" echo "RPT_MAILTO=${RPT_MAILTO}" echo "MAILPERCLUSTER=${MAILPERCLUSTER}" echo "ESB=${ESB}" #echo "IMI=${IMI}" echo "ESB_QUEUE=${ESB_QUEUE}" echo "SDMMAIL=${SDMMAIL}" echo "SDMREPLYTO=${SDMREPLYTO}" echo "SDMUSER=${SDMUSER}" echo "VOL_EXCL=${VOL_EXCL}" sleep 1 touch ${TMP} ${TMP}.excludes ${SDMMSG} ${WARN} ${TMPCSV} ${CIFSWARN} # --- some sanity checks, make sure directories are there if [ ! -d ${ESB_QUEUE} ]; then mkdir -p ${ESB_QUEUE} fi # Check & move LOG-file if longer then max. LOGSIZE=`du -ka $LOG | cut -f1` if [ $LOGSIZE -ge $MAXLOGSIZE ]; then mv $LOG $LOG.old touch $LOG fi if [ ! -f ${EXCLUDES} ]; then echo " No EXCLUDES (${EXCLUDES}) found. So NO excludes will be made."|tee -a ${LOG} else # Remove # from .excludes-file echo " Excludes (${EXCLUDES}) found. Will be used."|tee -a ${LOG} cat ${EXCLUDES} |grep -v ^# >> ${TMP}.excludes fi # {EXCLUDES} if [ ! -x ${IMI_UPLOAD} ]; then echo " ${IMI_UPLOAD} is not found or executable. Exiting ..."|tee -a ${LOG} fi # Create header for .csv-file echo -n "# Host;" >> ${TMPCSV} echo -n "M01 - Enable secure access ;" >> ${TMPCSV} echo -n "M02 - Disable insecure and unneeded protocols ;" >> ${TMPCSV} echo -n "M03 - Controlled access to FSOD management components ;" >> ${TMPCSV} echo -n "M04 - Password Security ;" >> ${TMPCSV} echo -n "M05 - Password hardening ;" >> ${TMPCSV} echo -n "M06 - Autologout ;" >> ${TMPCSV} echo -n "M07 - Logging ;" >> ${TMPCSV} echo -n "M08 - Network Time Protocol (NTP);" >> ${TMPCSV} echo -n "M09 - Secure Network configuration ;" >> ${TMPCSV} echo -n "M10 - Login banner ;" >> ${TMPCSV} echo -n "M11 - Role-Based Access Control ;" >> ${TMPCSV} echo -n "M12 - No group account ;" >> ${TMPCSV} echo -n "M13 - CIFS ;" >> ${TMPCSV} echo -n "M14 - NFS ;" >> ${TMPCSV} echo -n "M15 - iSCSI ;" >> ${TMPCSV} echo -n "M16 - Access of root volume ;" >> ${TMPCSV} echo "" >> ${TMPCSV} # Start Checking (loop) #for CLUSTER in `cat ${CLUSTERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${CFILTER}"` cat "${CLUSTERS}"|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${CFILTER}"|while read CLUSTER do # Check is hostname & Clustername are the same. Otherwise some check will fail. Because they have an extra `grep ${CLUSTER}` ANSW=`SSHCMD ${CLUSTER} "hostname"|grep ${CLUSTER}` if [ "${ANSW}" = "" ]; then echo " ERROR: Clustername (${CLUSTER}) and hostname are NOT the same. Exiting ..." |tee -a ${LOG} exit 4 fi echo "" | tee -a ${TMP} echo "* ${CLUSTER}" | tee -a ${TMP} echo " Cluster: ${CLUSTER}"|tee -a ${LOG} echo -n "${CLUSTER};" >> ${TMPCSV} ONTAP_MAIN_VER=`SSHCMD ${CLUSTER} "set -showseparator \";\" ; version -fields version"|awk -F\; '{print $2}'|cut -d\: -f1|grep -i netapp|sort -u|sed 's/NetApp Release//g'|sed 's/\"//g'|cut -dP -f1|cut -d\. -f1|sed 's/ //g'` ONTAP_SUB_VER=`SSHCMD ${CLUSTER} "set -showseparator \";\" ; version -fields version"|awk -F\; '{print $2}'|cut -d\: -f1|grep -i netapp|sort -u|sed 's/NetApp Release//g'|sed 's/\"//g'|cut -dP -f1|cut -d\. -f2|sed 's/ //g'` echo " ONTAP_MAIN_VER=${ONTAP_MAIN_VER}|" echo " ONTAP_SUB_VER=${ONTAP_SUB_VER}|" ANSW=`echo "M01"|grep "${MFILTER}"` if [ "${ANSW}" != "" ]; then echo "+ M01 - Enable secure access" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check # No applications like Telnet / Rsh should be available # Auth methode CNT=`SSHCMD ${CLUSTER} "security login show -fields application -application telnet"|tee -a ${TMP}|grep telnet|grep -v 'There are no entries matching your query'|wc -l` if [ ${CNT} -gt 0 ]; then echo "> NO telnet application allowed" >> ${TMP} echo "${CLUSTER}: NO telnet application allowed (security login show -fields application -application telnet) [M01]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login show -fields application -application rsh"|tee -a ${TMP}|grep rsh|grep -v 'There are no entries matching your query'|wc -l` if [ ${CNT} -gt 0 ]; then echo "> NO rsh application allowed" >> ${TMP} echo "${CLUSTER}: NO rsh application allowed (security login show -fields application -application rsh) [M01]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login show -fields authmethod -authmethod password"|grep password|tee -a ${TMP}|grep -v 'There are no entries matching your query'|wc -l` if [ ${CNT} -eq 0 ]; then echo "> NO password used" >> ${TMP} echo "${CLUSTER}: NO password used (security login show -fields authmethod -authmethod password) [M01]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login show -fields authmethod -authmethod publickey"|grep publickey|tee -a ${TMP}|grep -v 'There are no entries matching your query'|wc -l` if [ ${CNT} -eq 0 ]; then echo "> NO publickey used" >> ${TMP} echo "${CLUSTER}: NO publickey used (security login show -fields authmethod -authmethod publickey) [M01]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNT} if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %"|tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} else echo -n "x;" >> ${TMPCSV} fi # ANSW=`echo "M01"|grep "${MFILTER}"` ANSW=`echo "M02"|grep "${MFILTER}"` if [ "${ANSW}" != "" ]; then echo "+ M02 - Disable insecure and unneeded protocols"|tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check # Access on to the following "applications"; ssh, console, http, ontapi, service-processor. # SSH(v2) enabled # HTTP enabled # LDAP-SSL disabled CNT=`SSHCMD ${CLUSTER} "security login show -fields application -application ssh"|grep ssh|tee -a ${TMP}|grep -v 'There are no entries matching your query'|wc -l` if [ ${CNT} -eq 0 ]; then echo "> SSH should be used" >> ${TMP} echo "${CLUSTER}: SSH should be used (security login show -fields application -application ssh) [M02]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login show -fields application -application http"|grep http|tee -a ${TMP}|grep -v 'There are no entries matching your query'|wc -l` if [ ${CNT} -eq 0 ]; then echo "> HTTP should be used" >> ${TMP} echo "${CLUSTER}: HTTP should be used (security login show -fields application -application http) [M02]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNT} if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %"|tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} else echo -n "x;" >> ${TMPCSV} fi # ANSW=`echo "M02"|grep "${MFILTER}"` # =========== M03 ==================== ANSW=`echo "M03"|grep "${MFILTER}"` if [ "${ANSW}" != "" ]; then echo "+ M03 - Controlled access to FSOD management components"|tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Check if Telnet & RSH are not used # SNMP is enabled # Mgt IF should be a non public IP-address # telnet if [ ${ONTAP_MAIN_VER} -eq 9 ] && [ ${ONTAP_SUB_VER} -le 8 ]; then # If <= 9.8 CNT=`SSHCMD ${CLUSTER} "system service firewall policy show -service telnet -fields service"|tee -a ${TMP}|grep telnet|wc -l` if [ ${CNT} -gt 0 ]; then echo "> NO telnet service allowed" >> ${TMP} echo "${CLUSTER}: NO telnet service allowed (system service firewall policy show -service telnet -fields service) [M03]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi # > 0 let TTLCNT=${TTLCNT}+${CNT} else CNT=`SSHCMD ${CLUSTER} "network interface service-policy show -vserver nlnaf10* -policy default-management -field services"|tee -a ${TMP}|grep telnet|wc -l` if [ ${CNT} -gt 0 ]; then echo "> NO telnet service allowed" >> ${TMP} echo "${CLUSTER}: NO telnet service allowed (network interface service-policy show -vserver ${CLUSTER} -policy default-management -field services) [M03]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi # CNT let TTLCNT=${TTLCNT}+${CNT} fi # ONTAP_MAIN_VER # rsh if [ ${ONTAP_MAIN_VER} -eq 9 ] && [ ${ONTAP_SUB_VER} -le 8 ]; then # If <= 9.8 CNT=`SSHCMD ${CLUSTER} "system service firewall policy show -service rsh -fields service"|tee -a ${TMP}|grep rsh|wc -l` if [ ${CNT} -gt 0 ]; then echo "> NO rsh service allowed" >> ${TMP} echo "${CLUSTER}: NO rsh service allowed (system service firewall policy show -service rsh -fields service) [M03]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi # CNT let TTLCNT=${TTLCNT}+${CNT} else CNT=`SSHCMD ${CLUSTER} "network interface service-policy show -vserver nlnaf10* -policy default-management -field services"|tee -a ${TMP}|grep rsh|wc -l` if [ ${CNT} -gt 0 ]; then echo "> NO rsh service allowed" >> ${TMP} echo "${CLUSTER}: NO rsh service allowed (network interface service-policy show -vserver ${CLUSTER} -policy default-management -field services) [M03]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi # CNT let TTLCNT=${TTLCNT}+${CNT} fi # ONTAP_MAIN_VER # SNMP if [ ${ONTAP_MAIN_VER} -eq 9 ] && [ ${ONTAP_SUB_VER} -le 8 ]; then # If <= 9.8 CNT=`SSHCMD ${CLUSTER} "system service firewall policy show -service snmp -fields service"|grep ${CLUSTER}|tee -a ${TMP}|wc -l` if [ ${CNT} -eq 0 ]; then echo "> snmp service is needed" >> ${TMP} echo "${CLUSTER}: snmp service is needed (system service firewall policy show -service snmp -fields service) [M03]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi else CNT=`SSHCMD ${CLUSTER} "network interface service-policy show -vserver nlnaf10* -policy default-management -field services"|grep ${CLUSTER}|tee -a ${TMP}|wc -l` if [ ${CNT} -eq 0 ]; then echo "> snmp service is needed" >> ${TMP} echo "${CLUSTER}: snmp service is needed (network interface service-policy show -vserver ${CLUSTER} -policy default-management -field services) [M03]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi fi # ONTAP_MAIN_VER let TTLCNT=${TTLCNT}+${CNT} # IPADDR=`SSHCMD ${CLUSTER} "network interface show -role cluster-mgmt -field address"|grep ${CLUSTER}|tee -a ${TMP}|awk '{print $3}'|head -1|egrep '10|172.16|192.168'` if [ "${IPADDR}" = "" ]; then echo "> Should be a non public IP-address (10.x.y.z|172.16.x.y|192.168.x.y)" >> ${TMP} echo "${CLUSTER}: Should be a non public IP-address (10.x.y.z|172.16.x.y|192.168.x.y) (network interface show -role cluster-mgmt -field address) = ${IPADDR} [M03]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} else echo -n "x;" >> ${TMPCSV} fi # ANSW=`echo "M03"|grep "${MFILTER}"` ANSW=`echo "M04"|grep "${MFILTER}"` if [ "${ANSW}" != "" ]; then echo "+ M04 - Password Security" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check # security.passwd.lockout.numtries=10 # security.passwd.rules.enable=on # security.passwd.rules.everyone=on # security.passwd.rules.minimum=15 # security.passwd.rules.minimum.alphabetic=2 # security.passwd.rules.minimum.digit=1 # security.passwd.rules.minimum.symbol=1 # security.passwd.firstlogin.enable=on # security.passwd.rules.history=5 #::> security login role config show -role admin -fields max-failed-login-attempts = 10 #::> security login role config show -role admin -fields passwd-minlength = 15 #::> security login role config show -role admin -fields passwd-min-digits = 1 #::> security login role config show -role admin -fields passwd-alphanum = enabled #::> security login role config show -role admin -fields passwd-min-special-chars = 1 #::> security login role config show -role admin -fields require-initial-passwd-update = enable #::> security login role config show -role admin -fields disallowed-reuse = 5 CNT=`SSHCMD ${CLUSTER} "security login role config show -role admin -fields max-failed-login-attempts "|grep ${CLUSTER}|awk '{print $3}'` if [ ${CNT} -gt 10 ]; then echo "> max-failed-login-attempts < 10" >> ${TMP} echo "${CLUSTER}: Should be max-failed-login-attempts < 10 (security login role config show -role admin -fields max-failed-login-attempts) = ${CNT} [M04]"|tee -a ${TMP} >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login role config show -role admin -fields passwd-minlength"|grep ${CLUSTER}|awk '{print $3}'` if [ ${CNT} -lt 15 ]; then echo "> passwd-minlength >= 15" >> ${TMP} echo "${CLUSTER}: Should be passwd-minlength >= 15 (security login role config show -role admin -fields passwd-minlength) = ${CNT} [M04]"|tee -a ${TMP} >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login role config show -role admin -fields passwd-min-digits"|grep ${CLUSTER}|awk '{print $3}'` if [ ${CNT} -ne 1 ]; then echo "> passwd-min-digits <> 1" >> ${TMP} echo "${CLUSTER}: Should be passwd-min-digits <> 0 (security login role config show -role admin -fields passwd-min-digits) = ${CNT} [M04]"|tee -a ${TMP} >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login role config show -role admin -fields passwd-alphanum"|grep ${CLUSTER}|grep enable|wc -l` if [ ${CNT} -ne 1 ]; then echo "> passwd-alphanum <> enabled (=1)" >> ${TMP} echo "${CLUSTER}: Should be passwd-alphanum <> enabled (=1) (security login role config show -role admin -fields passwd-alphanum) = ${CNT} [M04]"|tee -a ${TMP} >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login role config show -role admin -fields passwd-min-special-chars"|grep ${CLUSTER}|awk '{print $3}'|wc -l` if [ ${CNT} -ne 1 ]; then echo "> passwd-min-special-chars <> 1 " >> ${TMP} echo "${CLUSTER}: Should be passwd-min-special-chars <> 1 (security login role config show -role admin -fields passwd-min-special-chars) = ${CNT} [M04]"|tee -a ${TMP} >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login role config show -role admin -fields require-initial-passwd-update"|grep ${CLUSTER}|grep enable|wc -l` if [ ${CNT} -ne 1 ]; then echo "> require-initial-passwd-update <> enabled (=1)" >> ${TMP} echo "${CLUSTER}: Should be require-initial-passwd-update <> enabled (=1) (security login role config show -role admin -fields require-initial-passwd-update) = ${CNT} [M04]"|tee -a ${TMP} >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} CNT=`SSHCMD ${CLUSTER} "security login role config show -role admin -fields disallowed-reuse"|grep ${CLUSTER}|awk '{print $3}'` if [ ${CNT} -lt 5 ]; then echo "> disallowed-reuse >= 5" >> ${TMP} echo "${CLUSTER}: Should be disallowed-reuse >= 5 (security login role config show -role admin -fields disallowed-reuse) = ${CNT} [M04]"|tee -a ${TMP} >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %"|tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} else echo -n "x;" >> ${TMPCSV} fi # ANSW=`echo "M04"|grep "${MFILTER}"` ANSW=`echo "M05"|grep "${MFILTER}"` if [ "${ANSW}" != "" ]; then echo "+ M05 - Password hardening"|tee -a ${TMP} echo " An Incident(Query)-ticket request will be created." | tee -a ${TMP} echo -n "NA;" >> ${TMPCSV} else echo -n "x;" >> ${TMPCSV} fi # ANSW=`echo "M05"|grep "${MFILTER}"` ANSW=`echo "M06"|grep "${MFILTER}"` if [ "${ANSW}" != "" ]; then echo "+ M06 - Autologout"|tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check # CLI timeout of 60 minutes MIN=`SSHCMD ${CLUSTER} "system timeout show"|grep minutes|tee -a ${TMP}|cut -d\: -f2|cut -d' ' -f2` if [ ${MIN} -ne 60 ]; then echo "> Timeout should be 60 minutes" >> ${TMP} echo "${CLUSTER}: Timeout should be 60 minutes (system timeout show) = ${MIN} [M06]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} else echo -n "x;" >> ${TMPCSV} fi # ANSW=`echo "M06"|grep "${MFILTER}"` ANSW=`echo "M07"|grep "${MFILTER}"` if [ "${ANSW}" != "" ]; then echo "+ M07 - Logging" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check # At 9.1x the "set" requests are always recorded in /mroot/etc/log/mlog/audit.log (previous known as command-history.log) # So a check for the audit.log (1st) or command-history (2nd) will be sufficient. # $ ssh nlnaf106 'set diag; system node systemshell -node nlnaf106-01 -command ls -l /mroot/etc/log/mlog/audit.log'| grep audit.log # Get the node list 1st SSHCMD ${CLUSTER} "node show"|grep true|awk '{print $1}' | while read NODE REST do # Added some process"thing" echo -n "." MODA=`date +%b' '%e` ANSW=`SSHCMD ${CLUSTER} "set diag; system node systemshell -node ${NODE} -command ls -l /mroot/etc/log/mlog/audit.log"|grep "audit.log"|tee -a ${TMP}|grep "${MODA}"` echo "" >> ${TMP} if [ "${ANSW}" = "" ]; then # If no audit.log, then check for command-hostory.log ANSW2=`SSHCMD ${CLUSTER} "set diag; system node systemshell -node ${NODE} -command ls -l /mroot/etc/log/mlog/command-history.log"|grep "command-history.log"|tee -a ${TMP}|grep "${MODA}"` echo "" >> ${TMP} if [ "${ANSW2}" = "" ]; then echo "> Not an audit.log or command-history.log from today at ${CLUSTER}/${NODE}" >> ${TMP} echo "${CLUSTER}: Should not be an audit.log or command-history.log from today at ${CLUSTER}/${NODE} (set diag; system node systemshell -node ${NODE} -command ls -l /mroot/etc/log/mlog/command-history.log) [M07]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi # ANSW2 fi # ANSW let TTLCNT=${TTLCNT}+1 done # NODE if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} else echo -n "x;" >> ${TMPCSV} fi # ANSW=`echo "M07"|grep "${MFILTER}"` ANSW=`echo "M08"|grep "${MFILTER}"` if [ "${ANSW}" != "" ]; then echo "+ M08 - Network Time Protocol (NTP)" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # 3.8 Network Time Protocol (NTP) CNT=`SSHCMD ${CLUSTER} "cluster time-service ntp server show -instance"|grep 'NTP Server '|tee -a ${TMP}|wc -l` # Should have at least 2 servers. # Check is date is the same a server if [ ${CNT} -lt 2 ]; then echo "> Should have at least 2 NTP servers. " >> ${TMP} echo "${CLUSTER}: Should have at least 2 NTP servers. (cluster time-service ntp server show -instance) = ${CNT} [M08]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+${CNT} YEAR=`date +%Y` # Thu Jun 01 07:25:28 2017 # date +%a' '%b' '%d' '%H:%M:%S' '%Y SDATE=`date -u +%a' '%b' '%d' '%H:%M:%S' '%Y` CDATE=`SSHCMD ${CLUSTER} "date -u"|grep ${CLUSTER}| awk '{print $2,$3,$4,$5,$6}'` echo " System-date=${SDATE}, Cluster-date=${CDATE}"|tee -a ${TMP} ANSW=`echo ${CDATE}|grep "${SDATE}"` if [ "${ANSW}" = "" ]; then # Not the same time. Check again SDATE=`date -u +%a' '%b' '%d' '%H:%M:%S' '%Y` CDATE=`SSHCMD ${CLUSTER} "date -u"|grep ${CLUSTER}| awk '{print $2,$3,$4,$5,$6}'` echo " 2nd System-date=${SDATE}, Cluster-date=${CDATE}"|tee -a ${TMP} ANSW2=`echo ${CDATE}|grep "${SDATE}"` if [ "${ANSW2}" = "" ]; then echo "> System-date & Cluster-date should be the same. " >> ${TMP} echo "${CLUSTER}: System-date (${SDATE}) & Cluster-date should be the same (${CDATE}) [M08]. " >> ${WARN} let WARNCNT=${WARNCNT}+1 fi # ANSW2 fi # ANSW let TTLCNT=${TTLCNT}+${CNT} if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} else echo -n "x;" >> ${TMPCSV} fi # ANSW=`echo "M08"|grep "${MFILTER}"` ANSW=`echo "M09"|grep "${MFILTER}"` if [ "${ANSW}" != "" ]; then echo "+ M09 - Secure Network configuration" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check PREFIX="nlnafs" for SVM in `SSHCMD ${CLUSTER} 'vserver show -field vserver -operational-state running'|grep ${PREFIX}|grep "${SFILTER}"|awk '{print $1}'|sort` do echo " - ${CLUSTER}/${SVM}:"|tee -a ${TMP} CUSTOMPART="`echo ${SVM}|sed -e 's/nlnafs//g'`" # Generate list of volumes which NOT belong to the SVM (vol.name = vfiler-name) SSHCMD ${CLUSTER} "volume show -vserver ${SVM} -state online -field volume"|grep ${SVM}|grep -v "${CUSTOMPART}_"|egrep -v "${VOL_EXCL}"|tee -a ${TMP}|awk '{print $2}'|while read VOLUME REST do echo "${VOLUME}" >> ${TMP} echo "${CLUSTER}/${SVM}: has wrong volume (volume show -vserver ${SVM} -state online -field volume) = ${VOLUME} [M09]" >> ${WARN} let WARNCNT=${WARNCNT}+1 done # QREE let TTLCNT=${TTLCNT}+1 done # SVM if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} else echo -n "x;" >> ${TMPCSV} fi # ANSW=`echo "M09"|grep "${MFILTER}"` ANSW=`echo "M10"|grep "${MFILTER}"` if [ "${ANSW}" != "" ]; then echo "+ M10 - Login banner" | tee -a ${TMP} echo " The NetApp filer does not have a login banner" | tee -a ${TMP} echo -n "NA;" >> ${TMPCSV} else echo -n "x;" >> ${TMPCSV} fi # ANSW=`echo "M10"|grep "${MFILTER}"` ANSW=`echo "M11"|grep "${MFILTER}"` if [ "${ANSW}" != "" ]; then echo "+ M11 - Role-Based Access Control" | tee -a ${TMP} echo " RBAC is not checked from this script" | tee -a ${TMP} echo -n "NA;" >> ${TMPCSV} else echo -n "x;" >> ${TMPCSV} fi # ANSW=`echo "M11"|grep "${MFILTER}"` ANSW=`echo "M12"|grep "${MFILTER}"` if [ "${ANSW}" != "" ]; then echo "+ M12 - No group account" | tee -a ${TMP} echo " \"No group accounts\" is not checked from this script" | tee -a ${TMP} echo -n "NA;" >> ${TMPCSV} else echo -n "x;" >> ${TMPCSV} fi # ANSW=`echo "M12"|grep "${MFILTER}"` ANSW=`echo "M13"|grep "${MFILTER}"` if [ "${ANSW}" != "" ]; then echo "+ M13 - CIFS" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # It is preferable to have for all CIFS shares Authenticated Users on 'Full Control'. # On request of the customer it can be "Everyone / Full Control" # Local admin (the user administrator on vfiler) need to be disabled. # This user is created when CIFS is setup. And need to be disabled. Otherwise this user can access CIFS-shares. echo " Check CIFS shares at vserver for 'Everyone / Full Control'" | tee -a ${TMP} echo "${CLUSTER}: These vfilers do have CIFS-share with 'Everyone / Full Control'" > ${CIFSWARN} echo "Which is not advisable accourding to NLW-OC9-0025 FSOD Security Baseline Measures and Validation, M13 - CIFS" >> ${CIFSWARN} SSHCMD ${CLUSTER} 'vserver show -operational-state running -field vserver' |grep ${SELECT}|grep "${SFILTER}"|while read VSERVER REST do echo " - ${CLUSTER}/${VSERVER}:"|tee -a ${TMP}|tee -a ${CIFSWARN} # Check Shares SSHCMD ${CLUSTER} "vserver cifs share show -vserver ${VSERVER} -field share-name" |grep ${SELECT}|awk '{print $2}'| while read SHARE REST do echo " - ${CLUSTER}/${VSERVER}:${SHARE} " let TTLCNT=${TTLCNT}+1 ANSW="`SSHCMD ${CLUSTER} \"vserver cifs share show -vserver ${VSERVER} -share-name ${SHARE} -field acl\" |grep ${SELECT}|grep -i 'everyone / full control'`" # if "everyone" (ANSW=not empty) then report if [ "${ANSW}" != "" ]; then EXCLUDE="`grep "${CLUSTER}/${VSERVER}:${SHARE}" ${TMP}.excludes`" ##echo " EXCLUDE=${EXCLUDE}|" if [ "${EXCLUDE}" != "" ]; then echo " (${CLUSTER}/${VSERVER}:${SHARE}=Excluded & accepted.)"|tee -a ${TMP} else echo "> ${SHARE}=${ANSW}"|tee -a ${TMP}|tee -a ${CIFSWARN} echo "${CLUSTER}/${VSERVER}:${SHARE}=${ANSW} (vserver cifs share show -vserver ${VSERVER} -field share-name) = not allowed. [M13]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi # EXCLUDE}" != "" fi # ANSW}" != "" done # SHARE done # vserver if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi # TTLCNT} -gt 0 echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} echo " CIFSWARN for CLUSTER=${CLUSTER}:"|tee -a ${LOG} cat ${CIFSWARN} >> ${LOG} # Create a seperate ticket for this filer when CIFS warnings has been found # if [ ${WARNCNT} -gt 0 ] && [ ${IMI} ]; then # CREATE_SDM_TICKET ${CLUSTER} "Incident" ${CIFSWARN} # fi # [ -s ${WARNCNT} ] if [ ${WARNCNT} -gt 0 ] && [ ${ESB} ]; then SEND_TO_ESB ${CLUSTER}-PLF "Incident" ${CIFSWARN} fi # [ -s ${WARNCNT} ] else echo -n "x;" >> ${TMPCSV} fi # ANSW=`echo "M13"|grep "${MFILTER}"` ANSW=`echo "M14"|grep "${MFILTER}"` if [ "${ANSW}" != "" ]; then echo "+ M14 - NFS" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check # ssh 'vserver nfs show -field mount-rootonly'|grep disabled # should be enabled # ssh 'vserver nfs show -field udp'| grep enabled # should be disabled # ssh 'vserver nfs show -field tcp'| grep disabled # should be enabled CNTALL=`SSHCMD ${CLUSTER} "vserver nfs show -field mount-rootonly"|egrep 'disabled|enabled'|wc -l` CNT=`SSHCMD ${CLUSTER} "vserver nfs show -field mount-rootonly"|grep disabled|tee -a ${TMP}|wc -l` if [ ${CNT} -gt 0 ]; then echo "> Mount-rootonly should be enabled" >> ${TMP} echo "${CLUSTER}: Mount-rootonly should be enabled (vserver nfs show -field mount-rootonly) = disabled [M14]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNTALL} CNTALL=`SSHCMD ${CLUSTER} "vserver nfs show -field udp"|egrep 'disabled|enabled'|wc -l` #210326,MdB: Added EXCLUDES if [ -f ${TMP}.excludes ]; then echo " Using (tmp)EXCLUDES (${TMP}.excludes) at check UDP at ${CLUSTER} (vserver nfs show -field udp)"|tee -a ${LOG} CNT=`SSHCMD ${CLUSTER} "vserver nfs show -field udp"|grep enabled|grep -v --file=${TMP}.excludes|tee -a ${TMP}|wc -l` else CNT=`SSHCMD ${CLUSTER} "vserver nfs show -field udp"|grep enabled|tee -a ${TMP}|wc -l` fi if [ ${CNT} -gt 0 ]; then echo "> UDP should be disabled" >> ${TMP} echo "${CLUSTER}: UDP should be disabled (vserver nfs show -field udp) = enabled [M14]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi # CNT} -gt 0 let TTLCNT=${TTLCNT}+${CNTALL} CNTALL=`SSHCMD ${CLUSTER} "vserver nfs show -field tcp"|egrep 'disabled|enabled'|wc -l` CNT=`SSHCMD ${CLUSTER} "vserver nfs show -field tcp"|grep disabled|tee -a ${TMP}|wc -l` if [ ${CNT} -gt 0 ]; then echo "> TCP should be enabled" >> ${TMP} echo "${CLUSTER}: TCP should be enabled (vserver nfs show -field tcp) = disabled [M14]" >> ${WARN} let WARNCNT=${WARNCNT}+${CNT} fi let TTLCNT=${TTLCNT}+${CNTALL} if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} else echo -n "x;" >> ${TMPCSV} fi # ANSW=`echo "M14"|grep "${MFILTER}"` ANSW=`echo "M15"|grep "${MFILTER}"` if [ "${ANSW}" != "" ]; then echo "+ M15 - iSCSI"|tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check # echo " Will check if iSCSI is running and if there iSCSI LUNs are configured. " | tee -a ${TMP} # ANSW="`${SSH} ${FILER} iscsi status| grep 'iSCSI service is running'`" # Check is iSCSI is running, then check LUNS. If iSCSI is Enabled & NO LUNS, this is NOT OK ANSW=`SSHCMD ${CLUSTER} "vserver iscsi show"|tee -a ${TMP}|grep 'This table is currently empty'` if [ "${ANSW}" = "" ]; then # iSCSI is running. # check LUNsA ANSW2=`SSHCMD ${CLUSTER} "lun show"|tee -a ${TMP}|grep 'This table is currently empty'` if [ "${ANSW2}" != "" ]; then echo "No LUNs found (at all SVMs), with iSCSI enabled. iSCSI should be disabled."|tee -a ${TMP} echo "${CLUSTER}: No LUNs found (at all SVMs), with iSCSI enabled. iSCSI should be disabled. [M15]"|tee -a ${WARN} let WARNCNT=${WARNCNT}+1 fi # ANSW2 fi # ANSW let TTLCNT=${TTLCNT}+1 if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} else echo -n "x;" >> ${TMPCSV} fi # ANSW=`echo "M15"|grep "${MFILTER}"` ANSW=`echo "M16"|grep "${MFILTER}"` if [ "${ANSW}" != "" ]; then echo "+ M16 - Access of root volume" | tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Start check SSHCMD ${CLUSTER} "node show"|grep true|awk '{print $1}' > ${TMP}.2 ANSW=`SSHCMD ${CLUSTER} "vserver export-policy rule show"|tee -a ${TMP}|grep -f ${TMP}.2` if [ "${ANSW}" != "" ]; then echo "> NO exports allowed at nodes" >> ${TMP} echo "${CLUSTER}: NO exports allowed at nodes (vserver export-policy rule show) [M16]" >> ${WARN} let WARNCNT=${WARNCNT}+1 fi let TTLCNT=${TTLCNT}+1 if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC};" >> ${TMPCSV} else echo -n "x;" >> ${TMPCSV} fi # ANSW=`echo "M16"|grep "${MFILTER}"` # When -i | --imi, send to SDM (via IMI) PER Cluster (Cluster=CI) # When --esb, send to SNOW (via ESB) PER Cluster (Cluster=CI) # if [ ${IMI} ] || [ ${ESB} ]; then if [ ${ESB} ]; then if [ -s ${WARN} ]; then echo "" >> ${WARN} # if [ ${IMI} ]; then # CREATE_SDM_TICKET ${CLUSTER} "Incident" ${WARN} # fi if [ ${ESB} ]; then SEND_TO_ESB ${CLUSTER}-PLF "Incident" ${WARN} fi cp /dev/null ${WARN} fi # [ -s ${WARN} ] # Create SDM-query-tickets for "M05 - Password hardening" 4 times (every 3 month) a year # Must be AFTER the above SDM-ticket creating. Because ${WARN} is used to transport ticket Description MON="`date +%m`" if [ ${MON} = 01 ] || [ ${MON} = 04 ] || [ ${MON} = 07 ] || [ ${MON} = 10 ]; then echo "${CLUSTER}: Has the root / administrator password of the filer being changed?" >> ${WARN} echo "According to the Atos Origin Password Policy, AOM-SEC-0001" >> ${WARN} echo "This request is made to fullfill NLW-OC9-0025 FSOD Security Baseline Measures and Validation, M05 - Password hardening" >> ${WARN} # if [ ${IMI} ]; then # CREATE_SDM_TICKET ${CLUSTER} "Query" ${WARN} # fi if [ ${ESB} ]; then # (NO) Query (in SNOW) -> Incident SEND_TO_ESB ${CLUSTER}-PLF "Incident" ${WARN} fi if [ ${MAILPERCLUSTER} ]; then cp ${WARN} ${ASC} date|mailx -a ${ASC} -s "@${HOSTNAME}: ${CLUSTER} Check security baseline settings report (.ASC) at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VER}]" ${RPT_MAILTO} echo " MailedPerFiler to ${RPT_MAILTO} "|tee -a ${LOG} fi # [ ${MAILPERCLUSTER} ] cp /dev/null ${WARN} fi # ${MON} fi # [ ${ESB} ] echo " WARN for CLUSTER=${CLUSTER}:"|tee -a ${LOG} cat ${WARN} >> ${LOG} if [ ${MAILPERCLUSTER} ]; then cp ${WARN} ${ASC} date|mailx -a ${ASC} -s "@${HOSTNAME}: ${CLUSTER} Check security baseline settings report (.ASC) at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VER}]" ${RPT_MAILTO} echo " MailedPerFiler to ${RPT_MAILTO} "|tee -a ${LOG} cp /dev/null ${WARN} fi # [ ${MAILPERCLUSTER} ] echo " " >> ${TMPCSV} done # for CLUSTER ## Create SDM-query-tickets for "M07 - Logging" #if [ ${IMI} ]; then # echo "${HOSTNAME}: Has the monthly backup of FSOD auditlogfiles run correctly (without errors)?" >> ${WARN} # echo "This request is made to fullfill NLW-OC9-0025 FSOD Security Baseline Measures and Validation, M07 - Logging" >> ${WARN} #echo ${WARN} # CREATE_SDM_TICKET ${HOSTNAME} "Query" ${WARN} # cp /dev/null ${WARN} #fi # [ ${IMI} ] echo "#"|tee -a ${TMP} echo "# Output (${ASC}) from ${HOSTNAME} at `date +%Y-%m-%d_%H:%M:%S` of ${PGM} version ${VER}"|tee -a ${TMP} echo "# (etc)CLUSTERS=${CLUSTERS}, CFILTER=${CFILTER}, sentMAIL=${MAIL}, MAILTO=${MAILTO} RPT_MAILTO=${RPT_MAILTO} MPF=${MAILPERCLUSTER} "|tee -a ${TMP} echo "# Ready at `date`"|tee -a ${TMP} # save the "output"(tmp) file to .out cp ${TMP} /tmp/${PGM}.out # Mail the info if [ ${MAIL} ]; then cp ${TMP} ${ASC} date|mailx -a ${ASC} -s ":${HOSTNAME}: Check cDOT security baseline settings report (.ASC) at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VER}]" ${RPT_MAILTO} cp ${TMPCSV} ${CSV} date|mailx -a ${CSV} -s ":${HOSTNAME}: Check cDOT security baseline output sheet (.CSV) at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VER}]" ${RPT_MAILTO} echo " Mailed (.ASC & .CSV) to ${RPT_MAILTO}."|tee -a ${LOG} fi # if [ ${MAIL} ] cp ${TMP} /tmp/${PGM}.asc cp ${TMPCSV} /tmp/${PGM}.csv # Cleanup rm ${TMP} ${TMPCSV} ${TMP}.* echo "`date` ${PGM} (v$VER) finished."|tee -a ${LOG} exit 0