#!/bin/ksh # File : chk_siemens-secu-mp_setting.ksh # By : Maarten de Boer, 100427 # Subject : Check the Siemens security Measure Plans settings # #(0.1) : Copied from chk_secu-baseline_settings.ksh # : Removed IMI/SDM part #(0.2) : Added more M's # set -x PGM="`basename $0|cut -d\. -f1`" VER="0.2" TMP="/tmp/${PGM}.$$" LOGDIR="${HOME}/log" LOG="${LOGDIR}/${PGM}.log" HOSTNAME="`hostname|cut -d\. -f1`" WARN="/tmp/${PGM}.warn.$$" MAIL="" MAILFILE="${TMP}.mailfile" MAILTO="maarten.deboer@atos.net" FILERS="${HOME}/etc/filers" SSH="/usr/bin/ssh -n" DATI="`date +%Y-%m-%d_%H-%M`" TXT="/tmp/${PGM}_${DATI}_${HOSTNAME}.txt" SSH="/usr/bin/ssh -n" FILTER="[?]*" MAXLOGSIZE=1024 # In K's CSV="/tmp/${PGM}_${DATI}_${HOSTNAME}.csv" WARNCNT=0 # Warning count TTLCNT=0 # Total count TMPCSV="${TMP}.csv" EXCLUDES="${HOME}/etc/${PGM}.excludes" MAILPERFILER="" NAGIOSPCHECKDIR="/appl/dfm/nagios/PassiveCheck/PRD" NAGIOS="" MONIDHDR="MAS.NL.1" CLASS="ZZ-Event.Storage.Storage" FILERSWLEVELS="${HOME}/etc/filer-recommended-sw.csv" # Functions CHECK_FILER_OPTIONS() { cat ${TMP}.options.${2}|grep -v \^#|while read LINE do OPTION="`echo ${LINE} | cut -d\= -f1`" SETTO="`echo ${LINE} | cut -d\= -f2`" VALUE="`${SSH} ${1} options ${OPTION} | awk '{print $2}'`" let TTLCNT=${TTLCNT}+1 if [ "${SETTO}" != "${VALUE}" ]; then EXCLUDE="`grep "${1}:${OPTION}=${VALUE}" ${TMP}.excludes`" if [ "${EXCLUDE}" != "" ]; then echo " (${1}:${OPTION}=${VALUE}. Must be:${SETTO})=Excluded & accepted." | tee -a ${TMP} else echo "${1}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${TMP} echo "Filer options ${1}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${WARN} if [ ${NAGIOS} ]; then NAGIOSFILE="${NAGIOSPCHECKDIR}/`date +%Y-%m-%d-%H-%M-%S`" echo "0|${PGM}: Filer options ${1}:${OPTION}=${VALUE}. Must be:${SETTO}.|MONID=${MONIDHDR}.${FILER}-SOS;CLASS=${CLASS};" >> ${NAGIOSFILE} fi # NAGIOS let WARNCNT=${WARNCNT}+1 fi fi done # Check options, per vfiler ${SSH} ${1} vfiler status | grep running | grep -v vfiler | awk '{print $1}' | while read VFILER do cat ${TMP}.options.${2}|grep -v \^#|while read LINE do OPTION="`echo ${LINE} | cut -d\= -f1`" SETTO="`echo ${LINE} | cut -d\= -f2`" let TTLCNT=${TTLCNT}+1 # Getting this value is different as from normal filer # Some options are not available ("No such option") VALUE="`${SSH} ${1} vfiler run ${VFILER} options ${OPTION} 2>/dev/null |tail -1|grep -v ${VFILER}|awk '{print $2} ' 2>/dev/null`" # Added: [ "${VALUE}" != "is" ] . Sometimes we get this value back from vfiler if [ "${VALUE}" != "is" ]; then if [ "${VALUE}" != "" ] && [ "${SETTO}" != "${VALUE}" ]; then EXCLUDE="`grep "${1}/${VFILER}:${OPTION}=${VALUE}" ${TMP}.excludes`" if [ "${EXCLUDE}" != "" ]; then echo " (${1}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO})=Excluded & accepted." | tee -a ${TMP} else echo "${1}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${TMP} echo "vFiler options ${1}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${WARN} if [ ${NAGIOS} ]; then NAGIOSFILE="${NAGIOSPCHECKDIR}/`date +%Y-%m-%d-%H-%M-%S`" echo "0|${PGM}: Vfiler options ${1}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO}.|MONID=${MONIDHDR}.${VFILER}-VST;CLASS=${CLASS};" >> ${NAGIOSFILE} fi # NAGIOS let WARNCNT=${WARNCNT}+1 fi fi else echo "${1}/${VFILER}:${OPTION}=${VALUE}. Wrong value. Need to be checked (by hand / running script again)."|tee -a ${TMP}|tee -a ${WARN} fi # [ "${VALUE}" != "is" ] done # cat done # SSH vfiler status } USAGE() { echo "Usage: ${PGM} " echo " Version: ${VER}" echo " options :" echo " -e|--etc : Etc/filers-file (${FILERS})" echo " -f : Filter filername (${FILTER})" echo " -h|--help : this Help" echo " -m|--mail : do send Mail" echo " -n|--nagios : create ticket via Nagios (NaCl-PassiveCheck)" echo " -V : show Version" echo " -x : set -x" echo " --mailto : change MAILTO address & do send mail (${MAILTO})" echo " --mpf : MailPerFiler (normaly all filers in 1 mail)" } ## MAIN # Check options if [ $# -eq 0 ]; then echo "No option(s) given. So not to know what to do. Exiting..."; echo; USAGE; exit 1 fi while [ $# -gt 0 ] do case $1 in -f) FILTER=$2; shift ;; -m | --mail) MAIL=1 ;; -n | --nagios) NAGIOS=1 ;; -e | --etc) FILERS=$2; shift ;; --mailto) MAILTO=$2; MAIL=1; shift ;; --mpf) MAILPERFILER=1;; -h | --help) USAGE; exit 1 ;; -V) echo "${PGM}: v${VER}"; exit 3 ;; -x) set -x ;; *) echo "Option ${1} not known. Exiting..."; echo; USAGE; exit 1 ;; esac shift done if [ ! -d ${LOGDIR} ]; then mkdir -p ${LOGDIR} fi echo "`date` ${PGM} (v$VER) started."|tee -a $LOG echo "CLASS=${CLASS}" echo "ETC=${ETC}" echo "EXCLUDES=${EXCLUDES}" echo "FILTER=${FILTER}" echo "MAIL=${MAIL}" echo "MAILTO=${MAILTO}" echo "MAILPERFILER=${MAILPERFILER}" echo "MONIDHDR=${MONIDHDR}" echo "NAGIOS=${NAGIOS}" echo "NAGIOSPCHECKDIR=${NAGIOSPCHECKDIR}" touch ${TMP} ${WARN} ${TMPCSV} # Check & move LOG-file if longer then max. LOGSIZE=`du -ka ${LOG} | cut -f1` if [ ${LOGSIZE} -ge ${MAXLOGSIZE} ]; then mv ${LOG} ${LOG}.old touch ${LOG} fi touch ${TMP}.excludes if [ ! -f ${EXCLUDES} ]; then echo "`date` No ${EXCLUDES} found. So NO excludes will be made."|tee -a ${LOG} else # Remove # from .excludes-file echo "`date` ${EXCLUDES} found. Will be used."|tee -a ${LOG} cat ${EXCLUDES} |grep -v ^# >> ${TMP}.excludes fi # {EXCLUDES} # Create header for .csv-file echo -n "# Host;" >> ${TMPCSV} echo -n "M118734 (3.1.2);" >> ${TMPCSV} echo -n "M118422 (3.3.1);" >> ${TMPCSV} echo -n "M118793 (3.3.2);" >> ${TMPCSV} echo -n "M118792 (3.3.3);" >> ${TMPCSV} #echo -n "M118741 (3.3.4);" >> ${TMPCSV} echo -n "M118272 (3.3.5);" >> ${TMPCSV} #echo -n "M118304 (3.3.6);" >> ${TMPCSV} #echo -n "M118360 (3.3.7);" >> ${TMPCSV} #echo -n "M118371 (3.3.8);" >> ${TMPCSV} #echo -n "M118346 (3.3.9);" >> ${TMPCSV} #echo -n "M118580 (3.4.1);" >> ${TMPCSV} #echo -n "M118885 (3.4.2);" >> ${TMPCSV} #echo -n "M118273 (3.4.3);" >> ${TMPCSV} #echo -n "M118545 (3.5.1);" >> ${TMPCSV} #echo -n "M118270 (3.6.3);" >> ${TMPCSV} #echo -n "M118178 (3.6.4);" >> ${TMPCSV} #echo -n "M118797 (3.7.1);" >> ${TMPCSV} #echo -n "M118148 (3.7.2);" >> ${TMPCSV} echo -n "M118193 (3.7.3);" >> ${TMPCSV} echo -n "M118113 (3.7.4);" >> ${TMPCSV} echo "" >> ${TMPCSV} # Start Checking (loop) for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG echo -n "${FILER};" >> ${TMPCSV} echo "+ M118734 (3.1.2) Compliance With Corporate Password Policy" | tee -a ${TMP} # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118734 security.passwd.rules.minimum=14 security.passwd.rules.minimum.digit=1 security.passwd.rules.minimum.alphabetic=2 security.passwd.rules.minimum.symbol=1 security.passwd.rules.history=9999 security.passwd.firstlogin.enable=on security.passwd.lockout.numtries=4 security.passwd.rules.everyone=on !EOF CHECK_FILER_OPTIONS ${FILER} "M118734" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "+ M118422 (3.3.1) Do Not Use Outdated Software;"|tee -a ${TMP} # Must be the latest agreed, between NetApp & Atos, (P-)release of the branche WARNCNT=0 TTLCNT=0 # Get only OSversion-string (NetApp Release 8.2.3P2 7-Mode: Wed Mar 4 19:06:11 PST 2015) OSVERSION="`${SSH} ${FILER} version|cut -d\: -f1|sed 's/NetApp Release //g'|sed 's/Data ONTAP Release //g'|awk '{print $1}'`" OSBRANCH="`echo ${OSVERSION}|awk -F\. '{print $1"."$2}'|cut -dP -f1`" SWLEVEL="`grep ^${OSBRANCH} ${FILERSWLEVELS}|awk -F\; '{print $1}'`" if [ "${OSVERSION}" != "${SWLEVEL}" ]; then echo "${FILER} ONTAP is ${OSVERSION}. Must be ${SWLEVEL}"|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 fi if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "M118793 (3.3.2) Activate The Firewall"|tee -a ${TMP} echo " This option is not applicable in 7-mode."|tee -a ${TMP} echo "= 100 %" | tee -a ${TMP} echo -n "100%;" >> ${TMPCSV} echo "M118792 (3.3.3) Block Access To Insecure Network Services"|tee -a ${TMP} # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118792 rsh.enable=off telnet.enable=off ftpd.enable=off ftpd.explicit.enable=off tftpd.enable=off httpd.enable=off !EOF CHECK_FILER_OPTIONS ${FILER} "M118792" ROUTED="`${SSH} ${FILER} 'rdfile /etc/rc'|grep routed|awk '{print $2}'`" if [ "${ROUTED}" != "off" ]; then echo "${FILER} routed (/etc/rc) is ${ROUTED}. Must be off"|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 fi if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "M118741 (3.3.4) Setup And Use Siemens Signed Certificates"|tee -a ${TMP} echo "M118272 (3.3.5) Disable SSL And Configure TLS"|tee -a ${TMP} # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118272 ssl.enable=off ssl.v2.enable=off ssl.v3.enable=off tls.enable=on httpd.admin.ssl.enable=on !EOF CHECK_FILER_OPTIONS ${FILER} "M118272" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "M118304 (3.3.6) Disable Insecure Secure Shell (SSH) Settings"|tee -a ${TMP} echo "M118360 (3.3.7) Disable SNMP Versions 1 & 2 And Secure SNMP Version 3"|tee -a ${TMP} echo "M118371 (3.3.8) Enable Command Line Session Time-Outs"|tee -a ${TMP} echo "M118346 (3.3.9) Secure File System Access Using Active Directory Or Access Control Lists (ACLs)"|tee -a ${TMP} echo "M118580 (3.4.1) Change Default Account Passwords"|tee -a ${TMP} echo "M118885 (3.4.2) Delete Or Deactivate Unused Accounts"|tee -a ${TMP} echo "M118273 (3.4.3) Disable Anonymous Shares"|tee -a ${TMP} echo "M118545 (3.5.1) Enable And Configure Logging"|tee -a ${TMP} echo "M118270 (3.6.3) Restrict Host Access To Network Services"|tee -a ${TMP} echo "M118178 (3.6.4) Disable IPv6"|tee -a ${TMP} echo "M118797 (3.7.1) Secure AutoSupport"|tee -a ${TMP} echo "M118148 (3.7.2) Protect Stored Data With Antivirus-Software"|tee -a ${TMP} echo "M118193 (3.7.3) Secure The Content Of Core Dumps"|tee -a ${TMP} echo " This option is not available in 7-mode."|tee -a ${TMP} echo "= 100 %" | tee -a ${TMP} echo -n "100%;" >> ${TMPCSV} echo "M118113 (3.7.4) Prevent Kerberos Passive Replay Attacks"|tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118113 kerberos.replay_cache.enable=on !EOF CHECK_FILER_OPTIONS ${FILER} "M118113" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo " " >> ${TMPCSV} done # for FILER echo "#"|tee -a ${TMP} echo "# Output (${TXT}) from ${HOSTNAME} at `date +%Y-%m-%d_%H:%M:%S` of ${PGM} version ${VER}"|tee -a ${TMP} echo "# (etc)FILERS=${FILERS}, FILTER=${FILTER}, sentMAIL=${MAIL}, MAILTO=${MAILTO} MPF=${MAILPERFILER} "|tee -a ${TMP} echo "# Ready at `date`"|tee -a ${TMP} # save the "output"(tmp) file to .out cp ${TMP} /tmp/${PGM}.out # Mail the info if [ ${MAIL} ]; then cp ${TMP} ${TXT} date|mailx -a ${TXT} -s ":${HOSTNAME}: Siemens M.P. security settings report (.TXT) at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VER}]" ${MAILTO} cp ${TMPCSV} ${CSV} date|mailx -a ${CSV} -s ":${HOSTNAME}: Siemens M.P. security settings output sheet (.CSV) at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VER}]" ${MAILTO} echo "`date` ${PGM}: Mailed (.TXT & .CSV) to ${MAILTO}."|tee -a ${LOG} fi # if [ ${MAIL} ] cp ${TMP} /tmp/${PGM}.txt cp ${TMPCSV} /tmp/${PGM}.csv # Cleanup rm ${TMP} ${TMP}.options.M* ${TMP}.excludes ${WARN} ${TMPCSV} echo "`date` ${PGM} (v$VER) finished."|tee -a $LOG exit 0