#!/bin/ksh # File : chk_siemens-secu-mp_setting.ksh # By : Maarten de Boer, 100427 # Subject : Check the Siemens security Measure Plans settings # #(0.1) : Copied from chk_secu-baseline_settings.ksh # : Removed IMI/SDM part #(0.2) : Added more M's #(0.3) : Added -t test #(0.4) : Added more M's #(0.5) : Added ping #(0.6) : Added M118741 & M118360 #(0.7) : Added M118580 (3.4.1) #(0.8) : Added M118270 (3.6.3) # set -x PGM="`basename $0|cut -d\. -f1`" VER="0.8" TMP="/tmp/${PGM}.$$" LOGDIR="${HOME}/log" LOG="${LOGDIR}/${PGM}.log" HOSTNAME="`hostname|cut -d\. -f1`" WARN="/tmp/${PGM}.warn.$$" MAIL="" MAILFILE="${TMP}.mailfile" MAILTO="maarten.deboer@atos.net" FILERS="${HOME}/etc/filers" SSH="/usr/bin/ssh -n" DATI="`date +%Y-%m-%d_%H-%M`" TXT="/tmp/${PGM}_${DATI}_${HOSTNAME}.txt" SSH="/usr/bin/ssh -n" FILTER="[?]*" MAXLOGSIZE=1024 # In K's CSV="/tmp/${PGM}_${DATI}_${HOSTNAME}.csv" WARNCNT=0 # Warning count TTLCNT=0 # Total count TMPCSV="${TMP}.csv" EXCLUDES="${HOME}/etc/${PGM}.excludes" MAILPERFILER="" NAGIOSPCHECKDIR="/appl/dfm/nagios/PassiveCheck/PRD" NAGIOS="" MONIDHDR="MAS.NL.1" CLASS="ZZ-Event.Storage.Storage" FILERSWLEVELS="${HOME}/etc/filer-recommended-sw.csv" TEST="" # Functions CHECK_FILER_OPTIONS() { cat ${TMP}.options.${2}|grep -v \^#|while read LINE do OPTION="`echo ${LINE} | cut -d\= -f1`" SETTO="`echo ${LINE} | cut -d\= -f2`" VALUE="`${SSH} ${1} options ${OPTION} | awk '{print $2}'`" let TTLCNT=${TTLCNT}+1 if [ "${SETTO}" != "${VALUE}" ]; then EXCLUDE="`grep "${1}:${OPTION}=${VALUE}" ${TMP}.excludes`" if [ "${EXCLUDE}" != "" ]; then echo " (${1}:${OPTION}=${VALUE}. Must be:${SETTO})=Excluded & accepted." | tee -a ${TMP} else echo "${1}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${TMP} echo "Filer options ${1}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${WARN} if [ ${NAGIOS} ]; then NAGIOSFILE="${NAGIOSPCHECKDIR}/`date +%Y-%m-%d-%H-%M-%S`" echo "0|${PGM}: Filer options ${1}:${OPTION}=${VALUE}. Must be:${SETTO}.|MONID=${MONIDHDR}.${FILER}-SOS;CLASS=${CLASS};" >> ${NAGIOSFILE} fi # NAGIOS let WARNCNT=${WARNCNT}+1 fi fi done # Check options, per vfiler ${SSH} ${1} vfiler status | grep running | grep -v vfiler | awk '{print $1}' | while read VFILER do cat ${TMP}.options.${2}|grep -v \^#|while read LINE do OPTION="`echo ${LINE} | cut -d\= -f1`" SETTO="`echo ${LINE} | cut -d\= -f2`" let TTLCNT=${TTLCNT}+1 # Getting this value is different as from normal filer # Some options are not available ("No such option") VALUE="`${SSH} ${1} vfiler run ${VFILER} options ${OPTION} 2>/dev/null |tail -1|grep -v ${VFILER}|awk '{print $2} ' 2>/dev/null`" # Added: [ "${VALUE}" != "is" ] . Sometimes we get this value back from vfiler if [ "${VALUE}" != "is" ]; then if [ "${VALUE}" != "" ] && [ "${SETTO}" != "${VALUE}" ]; then EXCLUDE="`grep "${1}/${VFILER}:${OPTION}=${VALUE}" ${TMP}.excludes`" if [ "${EXCLUDE}" != "" ]; then echo " (${1}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO})=Excluded & accepted." | tee -a ${TMP} else echo "${1}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${TMP} echo "vFiler options ${1}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${WARN} if [ ${NAGIOS} ]; then NAGIOSFILE="${NAGIOSPCHECKDIR}/`date +%Y-%m-%d-%H-%M-%S`" echo "0|${PGM}: Vfiler options ${1}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO}.|MONID=${MONIDHDR}.${VFILER}-VST;CLASS=${CLASS};" >> ${NAGIOSFILE} fi # NAGIOS let WARNCNT=${WARNCNT}+1 fi fi else echo "${1}/${VFILER}:${OPTION}=${VALUE}. Wrong value. Need to be checked (by hand / running script again)."|tee -a ${TMP}|tee -a ${WARN} fi # [ "${VALUE}" != "is" ] done # cat done # SSH vfiler status } USAGE() { echo "Usage: ${PGM} " echo " Version: ${VER}" echo " options :" echo " -e|--etc : Etc/filers-file (${FILERS})" echo " -f : Filter filername (${FILTER})" echo " -h|--help : this Help" echo " -m|--mail : do send Mail" echo " -n|--nagios : create ticket via Nagios (NaCl-PassiveCheck)" echo " -t|--test : Test script (files & mailing)" echo " -V : show Version" echo " -x : set -x" echo " --mailto : change MAILTO address & do send mail (${MAILTO})" echo " --mpf : MailPerFiler (normaly all filers in 1 mail)" } ## MAIN # Check options if [ $# -eq 0 ]; then echo "No option(s) given. So not to know what to do. Exiting..."; echo; USAGE; exit 1 fi while [ $# -gt 0 ] do case $1 in -f) FILTER=$2; shift ;; -m | --mail) MAIL=1 ;; -n | --nagios) NAGIOS=1 ;; -e | --etc) FILERS=$2; shift ;; --mailto) MAILTO=$2; MAIL=1; shift ;; --mpf) MAILPERFILER=1;; -h | --help) USAGE; exit 1 ;; -t | --test) TEST=1 ;; -V) echo "${PGM}: v${VER}"; exit 3 ;; -x) set -x ;; *) echo "Option ${1} not known. Exiting..."; echo; USAGE; exit 1 ;; esac shift done if [ ! -d ${LOGDIR} ]; then mkdir -p ${LOGDIR} fi echo "`date` ${PGM} (v$VER) started."|tee -a $LOG echo "CLASS=${CLASS}" echo "ETC=${ETC}" echo "EXCLUDES=${EXCLUDES}" echo "FILTER=${FILTER}" echo "MAIL=${MAIL}" echo "MAILTO=${MAILTO}" echo "MAILPERFILER=${MAILPERFILER}" echo "MONIDHDR=${MONIDHDR}" echo "NAGIOS=${NAGIOS}" echo "NAGIOSPCHECKDIR=${NAGIOSPCHECKDIR}" echo "TEST=${TEST}" touch ${TMP} ${WARN} ${TMPCSV} # Check & move LOG-file if longer then max. LOGSIZE=`du -ka ${LOG} | cut -f1` if [ ${LOGSIZE} -ge ${MAXLOGSIZE} ]; then mv ${LOG} ${LOG}.old touch ${LOG} fi # TEST if [ ${TEST} ]; then ERRCNT=0 echo " For test, this message is send to ${MAILTO} (MAILTO) ..."| mailx -s "TEST msg" ${MAILTO} echo " For test, this message is send to ${MAILTO} (MAILTO) ..." if [ ! -f ${FILERS} ]; then echo " NO FILERS-(${FILERS})file found ..."|tee -a ${LOG} let ERRCNT=${ERRCNT}+1 fi # FILERS if [ ! -f ${LOG} ]; then echo " NO LOG-(${LOG})file found ..."|tee -a ${LOG} let ERRCNT=${ERRCNT}+1 fi # LOG if [ ${ERRCNT} -gt 0 ]; then echo " ${ERRCNT} errors. So exit(4) ..."|tee -a ${LOG} exit 4 else echo " ${ERRCNT} errors. So exit(0) ..."|tee -a ${LOG} exit 0 fi fi # TEST touch ${TMP}.excludes if [ ! -f ${EXCLUDES} ]; then echo "`date` No ${EXCLUDES} found. So NO excludes will be made."|tee -a ${LOG} else # Remove # from .excludes-file echo "`date` ${EXCLUDES} found. Will be used."|tee -a ${LOG} cat ${EXCLUDES} |grep -v ^# >> ${TMP}.excludes fi # {EXCLUDES} # Create header for .csv-file echo -n "# Host;" >> ${TMPCSV} echo -n "M118734 (3.1.2);" >> ${TMPCSV} echo -n "M118422 (3.3.1);" >> ${TMPCSV} echo -n "M118793 (3.3.2);" >> ${TMPCSV} echo -n "M118792 (3.3.3);" >> ${TMPCSV} echo -n "M118741 (3.3.4);" >> ${TMPCSV} echo -n "M118272 (3.3.5);" >> ${TMPCSV} echo -n "M118304 (3.3.6);" >> ${TMPCSV} echo -n "M118360 (3.3.7);" >> ${TMPCSV} echo -n "M118371 (3.3.8);" >> ${TMPCSV} echo -n "M118346 (3.3.9);" >> ${TMPCSV} echo -n "M118580 (3.4.1);" >> ${TMPCSV} #echo -n "M118885 (3.4.2);" >> ${TMPCSV} echo -n "M118273 (3.4.3);" >> ${TMPCSV} echo -n "M118545 (3.5.1);" >> ${TMPCSV} echo -n "M118270 (3.6.3);" >> ${TMPCSV} echo -n "M118178 (3.6.4);" >> ${TMPCSV} echo -n "M118797 (3.7.1);" >> ${TMPCSV} #echo -n "M118148 (3.7.2);" >> ${TMPCSV} echo -n "M118193 (3.7.3);" >> ${TMPCSV} echo -n "M118113 (3.7.4);" >> ${TMPCSV} echo "" >> ${TMPCSV} # Start Checking (loop) for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG echo -n "${FILER};" >> ${TMPCSV} # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then echo "+ M118734 (3.1.2) Compliance With Corporate Password Policy" | tee -a ${TMP} # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118734 security.passwd.rules.minimum=14 security.passwd.rules.minimum.digit=1 security.passwd.rules.minimum.alphabetic=2 security.passwd.rules.minimum.symbol=1 security.passwd.rules.history=9999 security.passwd.firstlogin.enable=on security.passwd.lockout.numtries=4 security.passwd.rules.everyone=on !EOF CHECK_FILER_OPTIONS ${FILER} "M118734" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "+ M118422 (3.3.1) Do Not Use Outdated Software;"|tee -a ${TMP} # Must be the latest agreed, between NetApp & Atos, (P-)release of the branche WARNCNT=0 TTLCNT=0 # Get only OSversion-string (NetApp Release 8.2.3P2 7-Mode: Wed Mar 4 19:06:11 PST 2015) OSVERSION="`${SSH} ${FILER} version|cut -d\: -f1|sed 's/NetApp Release //g'|sed 's/Data ONTAP Release //g'|awk '{print $1}'`" OSBRANCH="`echo ${OSVERSION}|awk -F\. '{print $1"."$2}'|cut -dP -f1`" SWLEVEL="`grep ^${OSBRANCH} ${FILERSWLEVELS}|awk -F\; '{print $1}'`" if [ "${OSVERSION}" != "${SWLEVEL}" ]; then echo "${FILER} ONTAP is ${OSVERSION}. Must be ${SWLEVEL}"|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 fi if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "M118793 (3.3.2) Activate The Firewall"|tee -a ${TMP} echo " This option is not applicable in 7-mode."|tee -a ${TMP} echo "= 100 %" | tee -a ${TMP} echo -n "100%;" >> ${TMPCSV} echo "+ M118792 (3.3.3) Block Access To Insecure Network Services"|tee -a ${TMP} # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118792 rsh.enable=off telnet.enable=off ftpd.enable=off ftpd.explicit.enable=off tftpd.enable=off httpd.enable=off !EOF CHECK_FILER_OPTIONS ${FILER} "M118792" ROUTED="`${SSH} ${FILER} 'rdfile /etc/rc'|grep routed|awk '{print $2}'`" if [ "${ROUTED}" != "off" ]; then echo "${FILER} routed (/etc/rc) is ${ROUTED}. Must be off"|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 fi if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "+ M118741 (3.3.4) Setup And Use Siemens Signed Certificates"|tee -a ${TMP} # Check secureadmin status is ssl is active # Check for 'rdfile /etc/keymgr/csr/secureadmin.pem' and mark when there WARNCNT=0 TTLCNT=0 SSL_STATUS="`${SSH} ${FILER} 'secureadmin status'|grep ssl|awk -F\- '{print $2}'`" if [ "${SSL_STATUS}" != " active" ]; then echo "${FILER} (secureadmin) ssl NOT active. Must be active"|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 fi ${SSH} ${FILER} 'rdfile /etc/keymgr/csr/secureadmin.pem' > /dev/null EC=${?} if [ ${EC} -ne 0 ]; then echo "${FILER} (key-file) /etc/keymgr/csr/secureadmin.pem NOT found"|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 fi if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "+ M118272 (3.3.5) Disable SSL And Configure TLS"|tee -a ${TMP} # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118272 ssl.enable=off ssl.v2.enable=off ssl.v3.enable=off tls.enable=on httpd.admin.ssl.enable=on !EOF CHECK_FILER_OPTIONS ${FILER} "M118272" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "+ M118304 (3.3.6) Disable Insecure Secure Shell (SSH) Settings"|tee -a ${TMP} # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118304 ssh1.enable=off ssh2.enable=on ssh.passwd_auth.enable=off ssh.pubkey_auth.enable=on telnet.distinct.enable=on !EOF CHECK_FILER_OPTIONS ${FILER} "M118304" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "+ M118360 (3.3.7) Disable SNMP Versions 1 & 2 And Secure SNMP Version 3"|tee -a ${TMP} WARNCNT=0 TTLCNT=0 # snmp community should be empty SNMP_COMM=`${SSH} ${FILER} 'snmp community'` if [ "${SNMP_COMM}" != "" ]; then echo "${FILER} snmp community should be empty. Is not (${SNMP_COMM})."|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 fi # useradmin role add (snmp_role) -a login-snmp # useradmin group add (snmp_group) -r snmp_role # useradmin user add (snmp_user) -g snmp_group # useradmin user add snmp_user -p Str0ngSNMPp@ssword -g snmp_group' SNMP_USER=`${SSH} ${FILER} 'useradmin user list snmp_user'| grep '^Name:'|head -1|awk '{print $2}'` SNMP_GROUP=`${SSH} ${FILER} 'useradmin group list snmp_group'| grep '^Name:'|head -1|awk '{print $2}'` SNMP_ROLE=`${SSH} ${FILER} 'useradmin role list snmp_role'| grep '^Name:'|head -1|awk '{print $2}'` SNMP_CAPA=`${SSH} ${FILER} 'useradmin role list snmp_role'| grep 'Capabilities:'|head -1|awk '{print $3}'` if [ "${SNMP_USER}" != "snmp_user" ] && [ "${SNMP_GROUP}" = "snmp_group" ] && [ "${SNMP_ROLE}" = "snmp_role" ] && [ "${SNMP_CAPA}" != "login-snmp" ]; then echo "One (ore more) is not OK (user=${SNMP_USER},group=${SNMP_GROUP},role=${SNMP_ROLE},capa=${SNMP_CAPA}) "|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 fi if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "+ M118371 (3.3.8) Enable Command Line Session Time-Outs"|tee -a ${TMP} # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118371 autologout.console.enable=on autologout.console.timeout=300 ssh.idle.timeout=5 !EOF CHECK_FILER_OPTIONS ${FILER} "M118371" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "+ M118346 (3.3.9) Secure File System Access Using Active Directory Or Access Control Lists (ACLs)"|tee -a ${TMP} # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118346 wafl.default_qtree_mode=0775 !EOF CHECK_FILER_OPTIONS ${FILER} "M118346" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "+ M118580 (3.4.1) Change Default Account Passwords"|tee -a ${TMP} # Is a (7-mode) filer you can not see is a password has been changed. # Therefore we need to use a "trick", by creating an update file (/etc/log/root_pwd_change.log) # With : " root password changed" in it. # So check if date is placed at the 1st. (do not check how long ago) WARNCNT=0 TTLCNT=0 PWDCHANGEDATE="`${SSH} ${FILER} 'rdfile /etc/log/root_pwd_change.log'|awk '{print $1}'`" let TTLCNT=${TTLCNT}+1 if [ "${PWDCHANGEDATE}" = "" ]; then echo "${FILER} root password has never been changed. Or registred in /etc/log/root_pwd_change.log"|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 else # echo " ${FILER} in /etc/log/root_pwd_change.log is date ${PWDCHANGEDATE}"|tee -a ${TMP} OLDDATE="`date --date='3 month ago' +%Y%m%d`" if [ ${PWDCHANGEDATE} -lt ${OLDDATE} ]; then echo "${FILER} password date in /etc/log/root_pwd_change.log is too (3 month) old (${PWDCHANGEDATE}). Please change password and update /etc/log/root_pwd_change.log"|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 else echo " ${FILER} password date in /etc/log/root_pwd_change.log is OK (less then 3 month old) (${PWDCHANGEDATE})."|tee -a ${TMP} fi # -lt fi # PWDCHANGEDATE if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "+ M118885 (3.4.2) Delete Or Deactivate Unused Accounts"|tee -a ${TMP} echo "+ M118273 (3.4.3) Disable Anonymous Shares"|tee -a ${TMP} # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118273 cifs.restrict_anonymous=2 !EOF CHECK_FILER_OPTIONS ${FILER} "M118273" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "+ M118545 (3.5.1) Enable And Configure Logging"|tee -a ${TMP} # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118545 auditlog.enable=on auditlog.max_file_size=10000000 !EOF CHECK_FILER_OPTIONS ${FILER} "M118545" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "+ M118270 (3.6.3) Restrict Host Access To Network Services"|tee -a ${TMP} # man na_protocolaccess # options protocol.access access_spec [ AND | OR [ ( ] access_spec [ ) ] ... ] # protocol is currently one of the following: rsh, telnet, ssh, httpd, httpd.admin, snmp, ndmpd, snapmirror, or snapvault. WARNCNT=0 TTLCNT=0 PROTOCOLS="rsh telnet ssh httpd httpd.admin snmp ndmpd snapmirror snapvault" for PROT in ${PROTOCOLS} do PROTSTATUS="`${SSH} ${FILER} \"options ${PROT}.enable\"|awk '{print $2}'`" if [ "${PROTSTATUS}" = "on" ]; then let TTLCNT=${TTLCNT}+1 # echo " ${FILER} ${PROT}=${PROTSTATUS}."|tee -a ${TMP} ACCESSSTATUS="`${SSH} ${FILER} \"options ${PROT}.access\"|awk '{print $2}'`" ACCESSHOSTS="`echo ${ACCESSSTATUS}|grep 'host='`" if [ "${ACCESSHOSTS}" = "" ]; then echo "${FILER} options ${PROT}=${PROTSTATUS}. But NO host= in options ${PROT}.access (${ACCESSSTATUS})"|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 else echo " ${FILER} ${PROT}=${PROTSTATUS}. options ${ACCESSSTATUS} "|tee -a ${TMP} fi # ACCESSHOSTS else echo " ${FILER} ${PROT}=${PROTSTATUS}. So NO access check done."|tee -a ${TMP} fi # PROTSTATUS done # for if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "+ M118178 (3.6.4) Disable IPv6"|tee -a ${TMP} # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118178 ip.v6.enable=off httpd.ipv6.enable=off !EOF CHECK_FILER_OPTIONS ${FILER} "M118178" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} echo "+ M118797 (3.7.1) Secure AutoSupport"|tee -a ${TMP} # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118797 autosupport.content=minimal autosupport.support.transport=https autosupport.validate_digital_certificate=on !EOF CHECK_FILER_OPTIONS ${FILER} "M118797" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} # To be checked # autosupport.support.url= # autosupport.partner.to [,..., ] echo "+ M118148 (3.7.2) Protect Stored Data With Antivirus-Software"|tee -a ${TMP} echo "+ M118193 (3.7.3) Secure The Content Of Core Dumps"|tee -a ${TMP} echo " This option is not available in 7-mode."|tee -a ${TMP} echo "= 100 %" | tee -a ${TMP} echo -n "100%;" >> ${TMPCSV} echo "+ M118113 (3.7.4) Prevent Kerberos Passive Replay Attacks"|tee -a ${TMP} WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118113 kerberos.replay_cache.enable=on !EOF CHECK_FILER_OPTIONS ${FILER} "M118113" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo -n "${PERC}%;" >> ${TMPCSV} else # ping echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} echo -n "No ping;" >> ${TMPCSV} fi # ping echo " " >> ${TMPCSV} done # for FILER echo "#"|tee -a ${TMP} echo "# Output (${TXT}) from ${HOSTNAME} at `date +%Y-%m-%d_%H:%M:%S` of ${PGM} version ${VER}"|tee -a ${TMP} echo "# (etc)FILERS=${FILERS}, FILTER=${FILTER}, sentMAIL=${MAIL}, MAILTO=${MAILTO} MPF=${MAILPERFILER} "|tee -a ${TMP} echo "# Ready at `date`"|tee -a ${TMP} # save the "output"(tmp) file to .out cp ${TMP} /tmp/${PGM}.out # Mail the info if [ ${MAIL} ]; then cp ${TMP} ${TXT} date|mailx -a ${TXT} -s ":${HOSTNAME}: Siemens M.P. security settings report (.TXT) at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VER}]" ${MAILTO} cp ${TMPCSV} ${CSV} date|mailx -a ${CSV} -s ":${HOSTNAME}: Siemens M.P. security settings output sheet (.CSV) at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VER}]" ${MAILTO} echo "`date` ${PGM}: Mailed (.TXT & .CSV) to ${MAILTO}."|tee -a ${LOG} fi # if [ ${MAIL} ] cp ${TMP} /tmp/${PGM}.txt cp ${TMPCSV} /tmp/${PGM}.csv # Cleanup rm ${TMP} ${TMP}.options.M* ${TMP}.excludes ${WARN} ${TMPCSV} echo "`date` ${PGM} (v$VER) finished."|tee -a $LOG exit 0