#!/bin/ksh # File : chk_siemens-secu-mp_setting.ksh # By : Maarten de Boer, 100427 # Subject : Check the Siemens security Measure Plans settings # #(0.1) : Copied from chk_secu-baseline_settings.ksh # : Removed IMI/SDM part #(0.2) : Added more M's #(0.3) : Added -t test #(0.4) : Added more M's #(0.5) : Added ping #(0.6) : Added M118741 & M118360 #(0.7) : Added M118580 (3.4.1) #(0.8) : Added M118270 (3.6.3) #(0.9) : Added M118148 (3.7.2) #(0.10) : Added M118885 (3.4.2) #(0.11) : Added (Siemens-)CSV-output #(0.12) : Changing the FILER-main-loopt into Measure-main-loop #(0.13) : Added M118422 #(0.14) : Added M118792 #(0.15) : Added M118741, M118272, M118304, M118360, M118371, M118346, M118580 #(0.16) : Mod: CSV_AppAttributes & CSV_Findings. Added M118885, M118273, M118270, M118178, M118797 #(0.17) : Mod: NAGIOS removed. Changed ScanStatus: true <-> false. Added M118148 #(0.18) : Mod; output # ScanStatus=FALSE; Not other output # ScanStatus=TRUE; FindingID & Finding #(0.19) : Add; -v Verbose, Mod; snmp-community # set -x PGM="`basename $0|cut -d\. -f1`" VER="0.19" TMP="/tmp/${PGM}.$$" LOGDIR="${HOME}/log" LOG="${LOGDIR}/${PGM}.log" HOSTNAME="`hostname|cut -d\. -f1`" WARN="/tmp/${PGM}.warn.$$" MAIL="" MAILFILE="${TMP}.mailfile" MAILTO="maarten.deboer@atos.net" FILERS="${HOME}/etc/filers" SSH="/usr/bin/ssh -n" DATI="`date +%Y-%m-%d_%H-%M`" TXT="/tmp/${PGM}_${DATI}_${HOSTNAME}.txt" SSH="/usr/bin/ssh -n" FILTER="[?]*" MAXLOGSIZE=1024 # In K's CSV="/tmp/${PGM}_${DATI}_${HOSTNAME}.csv" WARNCNT=0 # Warning count TTLCNT=0 # Total count TMPCSV="${TMP}.csv" EXCLUDES="${HOME}/etc/${PGM}.excludes" MAILPERFILER="" VERBOSE="" MONIDHDR="MAS.NL.1" CLASS="ZZ-Event.Storage.Storage" FILERSWLEVELS="${HOME}/etc/filer-recommended-sw.csv" TEST="" # Siemens MeasurePlan Version MPVER="V1.1" # (new) CSV # CSV_SourceID;ScanTime;ScanTarget;ScannedObject;ScanSuccess;ScanStatus;FindingID;Finding;AppAttributes;Customer;ScanEngineName;ScanEngineVersion;ProofName # CSV_SourceID="000000" # CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` # CSV_ScanTarget=${FILER} # CSV_ScannedObject="NETAPP_${MPVER}_Mxxxx-description-without-spaces" # CSV_ScanSuccess=true|false (connection with FILER / not) # CSV_ScanStatus=true/false/not set (false = OK, no finding; true = nOK, Finding) # CSV_FindingID=String (Finding-ID) # CSV_Finding=Right find | the one what needed to be # CSV_AppAttributes= # CSV_Customer=Siemens # CSV_ScanEngineName="NETAPP_Siemens" | "NETAPP_Global" # CSV_ScanEngineVersion=${VER} # CSV_ProofName=String (FindingID) # # Functions CHECK_FILER_OPTIONS() { cat ${TMP}.options.${2}|grep -v \^#|while read LINE do OPTION="`echo ${LINE} | cut -d\= -f1`" SETTO="`echo ${LINE} | cut -d\= -f2`" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScanTarget="${FILER}" CSV_FindingID="${OPTION}" CSV_ProofName="${CSV_FindingID}" VALUE="`${SSH} ${1} options ${OPTION} | awk '{print $2}'`" if [ "${VALUE}" = "" ]; then CSV_ScanSuccess="false" else CSV_ScanSuccess="true" fi CSV_Finding="${VALUE}" let TTLCNT=${TTLCNT}+1 if [ "${SETTO}" != "${VALUE}" ]; then EXCLUDE="`grep "${1}:${OPTION}=${VALUE}" ${TMP}.excludes`" if [ "${EXCLUDE}" != "" ]; then # Check is nOK echo " (${1}:${OPTION}=${VALUE}. Must be:${SETTO})=Excluded & accepted." | tee -a ${TMP} # Value is not OK, but excluded CSV_ScanStatus="false" CSV_FindingID="" CSV_Finding="" else echo "${1}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${TMP} echo "Filer options ${1}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${WARN} let WARNCNT=${WARNCNT}+1 CSV_ScanStatus="true" CSV_Finding="${VALUE}. Must be:${SETTO}" CSV_ProofName="${CSV_FindingID}" fi # EXCLUDE else # Check = OK CSV_ScanStatus="false" CSV_FindingID="" CSV_Finding="" CSV_AppAttributes="" if [ ${VERBOSE} ]; then CSV_ProofName="${OPTION}=${VALUE}" else CSV_ProofName="" fi fi # != echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} done # Check options, per vfiler (exclude vfiler0) ${SSH} ${1} vfiler status|grep running|grep -v vfiler|awk '{print $1}'|while read VFILER do cat ${TMP}.options.${2}|grep -v \^#|while read LINE do OPTION="`echo ${LINE} | cut -d\= -f1`" SETTO="`echo ${LINE} | cut -d\= -f2`" let TTLCNT=${TTLCNT}+1 CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScanTarget="${FILER}-${VFILER}" CSV_FindingID="${OPTION}" CSV_ProofName="${CSV_FindingID}" # Getting this value is different as from normal filer # Some options are not available ("No such option") VALUE="`${SSH} ${1} vfiler run ${VFILER} options ${OPTION} 2>/dev/null |tail -1|grep -v ${VFILER}|awk '{print $2} ' 2>/dev/null`" if [ "${VALUE}" = "" ]; then CSV_ScanSuccess="false" else CSV_ScanSuccess="true" fi CSV_Finding="${VALUE}" # Added: [ "${VALUE}" != "is" ] . Sometimes we get this value back from vfiler if [ "${VALUE}" != "is" ]; then if [ "${VALUE}" != "" ] && [ "${SETTO}" != "${VALUE}" ]; then EXCLUDE="`grep "${1}/${VFILER}:${OPTION}=${VALUE}" ${TMP}.excludes`" if [ "${EXCLUDE}" != "" ]; then echo " (${1}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO})=Excluded & accepted." | tee -a ${TMP} # Value is not OK, but excluded CSV_ScanStatus="false" CSV_Finding="Excluded (${VALUE})" CSV_AppAttributes="" else echo "${1}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${TMP} echo "vFiler options ${1}/${VFILER}:${OPTION}=${VALUE}. Must be:${SETTO}"|tee -a ${WARN} let WARNCNT=${WARNCNT}+1 CSV_ScanStatus="true" CSV_Finding="${VALUE}. Must be:${SETTO}" CSV_AppAttributes="" fi # EXCLUDE else # Check = OK CSV_ScanStatus="false" CSV_FindingID="" CSV_Finding="" CSV_AppAttributes="" if [ ${VERBOSE} ]; then CSV_ProofName="${OPTION}=${VALUE}" else CSV_ProofName="" fi fi # != else echo "${1}/${VFILER}:${OPTION}=${VALUE}. Wrong value. Need to be checked (by hand / running script again)."|tee -a ${TMP}|tee -a ${WARN} fi # [ "${VALUE}" != "is" ] done # cat options echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} done # SSH vfiler status } USAGE() { echo "Usage: ${PGM} " echo " Version: ${VER}" echo " options :" echo " -e|--etc : Etc/filers-file (${FILERS})" echo " -f : Filter filername (${FILTER})" echo " -h|--help : this Help" echo " -m|--mail : do send Mail" echo " -n|--nagios : create ticket via Nagios (NaCl-PassiveCheck)" echo " -t|--test : Test script (files & mailing)" echo " -v|--verbose : Verbose (extra info in ProofName) " echo " -V : show Version" echo " -x : set -x" echo " --mailto : change MAILTO address & do send mail (${MAILTO})" echo " --mpf : MailPerFiler (normaly all filers in 1 mail)" } ## MAIN # Check options if [ $# -eq 0 ]; then echo "No option(s) given. So not to know what to do. Exiting..."; echo; USAGE; exit 1 fi while [ $# -gt 0 ] do case $1 in -f) FILTER=$2; shift ;; -m | --mail) MAIL=1 ;; -e | --etc) FILERS=$2; shift ;; --mailto) MAILTO=$2; MAIL=1; shift ;; --mpf) MAILPERFILER=1;; -h | --help) USAGE; exit 1 ;; -v | --verbose) VERBOSE=1 ;; -t | --test) TEST=1 ;; -V) echo "${PGM}: v${VER}"; exit 3 ;; -x) set -x ;; *) echo "Option ${1} not known. Exiting..."; echo; USAGE; exit 1 ;; esac shift done if [ ! -d ${LOGDIR} ]; then mkdir -p ${LOGDIR} fi echo "`date` ${PGM} (v$VER) started."|tee -a $LOG echo "CLASS=${CLASS}" echo "ETC=${ETC}" echo "EXCLUDES=${EXCLUDES}" echo "FILTER=${FILTER}" echo "MAIL=${MAIL}" echo "MAILTO=${MAILTO}" echo "MAILPERFILER=${MAILPERFILER}" echo "MONIDHDR=${MONIDHDR}" echo "TEST=${TEST}" echo "VERBOSE=${VERBOSE}" sleep 2 touch ${TMP} ${WARN} ${TMPCSV} cp /dev/null /tmp/${PGM}.csv cp /dev/null /tmp/${PGM}.txt # Check & move LOG-file if longer then max. LOGSIZE=`du -ka ${LOG} | cut -f1` if [ ${LOGSIZE} -ge ${MAXLOGSIZE} ]; then mv ${LOG} ${LOG}.old touch ${LOG} fi # TEST if [ ${TEST} ]; then ERRCNT=0 echo " For test, this message is send to ${MAILTO} (MAILTO) ..."| mailx -s "TEST msg" ${MAILTO} echo " For test, this message is send to ${MAILTO} (MAILTO) ..." if [ ! -f ${FILERS} ]; then echo " NO FILERS-(${FILERS})file found ..."|tee -a ${LOG} let ERRCNT=${ERRCNT}+1 fi # FILERS if [ ! -f ${LOG} ]; then echo " NO LOG-(${LOG})file found ..."|tee -a ${LOG} let ERRCNT=${ERRCNT}+1 fi # LOG if [ ${ERRCNT} -gt 0 ]; then echo " ${ERRCNT} errors. So exit(4) ..."|tee -a ${LOG} exit 4 else echo " ${ERRCNT} errors. So exit(0) ..."|tee -a ${LOG} exit 0 fi fi # TEST touch ${TMP}.excludes if [ ! -f ${EXCLUDES} ]; then echo "`date` No ${EXCLUDES} found. So NO excludes will be made."|tee -a ${LOG} else # Remove # from .excludes-file echo "`date` ${EXCLUDES} found. Will be used."|tee -a ${LOG} cat ${EXCLUDES} |grep -v ^# >> ${TMP}.excludes fi # {EXCLUDES} # Create header for .csv-file echo "SourceID;ScanTime;ScanTarget;ScannedObject;ScanSuccess;ScanStatus;FindingID;Finding;AppAttributes;Customer;ScanEngineName;ScanEngineVersion;ProofName" >> ${TMPCSV} CSV_SourceID="" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScanTarget="[-]" CSV_ScannedObject="NETAPP_${MPVER}_Mxxxxx" CSV_ScanSuccess="true|false" CSV_ScanStatus="true|false|not set" CSV_FindingID="" CSV_Finding="" CSV_AppAttributes="" CSV_Customer="Siemens" CSV_ScanEngineName="NETAPP_Siemens" CSV_ScanEngineVersion="v${VER}" CSV_ProofName="Finding-ID" echo "+ M118734 (3.1.2) Compliance With Corporate Password Policy" | tee -a ${TMP} # Start Checking (loop) for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="NETAPP_${MPVER}_M118734_Compliance-With-Corporate-Password-Policy" CSV_FindingID="Compliance-With-Corporate-Password-Policy" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118734 security.passwd.rules.minimum=14 security.passwd.rules.minimum.digit=1 security.passwd.rules.minimum.alphabetic=2 security.passwd.rules.minimum.symbol=1 security.passwd.rules.history=9999 security.passwd.firstlogin.enable=on security.passwd.lockout.numtries=4 security.passwd.rules.everyone=on !EOF CHECK_FILER_OPTIONS ${FILER} "M118734" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "+ M118422 (3.3.1) Do Not Use Outdated Software;"|tee -a ${TMP} # Start Checking (loop) for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="NETAPP_${MPVER}_M118422_Do-Not-Use-Outdated-Software" CSV_FindingID="Do-Not-Use-Outdated-Software" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" # Must be the latest agreed, between NetApp & Atos, (P-)release of the branche WARNCNT=0 TTLCNT=0 # Get only OSversion-string (NetApp Release 8.2.3P2 7-Mode: Wed Mar 4 19:06:11 PST 2015) OSVERSION="`${SSH} ${FILER} version|cut -d\: -f1|sed 's/NetApp Release //g'|sed 's/Data ONTAP Release //g'|awk '{print $1}'`" OSBRANCH="`echo ${OSVERSION}|awk -F\. '{print $1"."$2}'|cut -dP -f1`" SWLEVEL="`grep ^${OSBRANCH} ${FILERSWLEVELS}|awk -F\; '{print $1}'`" if [ "${SWLEVEL}" = "" ]; then SWLEVEL="not found" fi CSV_Finding="${OSVERSION}" if [ "${OSVERSION}" != "${SWLEVEL}" ]; then echo "${FILER} ONTAP is ${OSVERSION}. Must be ${SWLEVEL}"|tee -a ${TMP} CSV_ScanStatus="true" CSV_FindingID="Data-ONTAP" CSV_Finding="${OSVERSION}. Must be ${SWLEVEL}" CSV_AppAttributes="" CSV_ProofName="${CSV_FindingID}" let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 else CSV_ScanStatus="false" CSV_FindingID="" CSV_Finding="" if [ ${VERBOSE} ]; then CSV_ProofName="${OPTION}=${VALUE}" else CSV_ProofName="" fi fi if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER ## ## ## echo "M118793 (3.3.2) Activate The Firewall"|tee -a ${TMP} ## echo " This option is not applicable in 7-mode."|tee -a ${TMP} ## echo "= 100 %" | tee -a ${TMP} ### echo -n "100%;" >> ${TMPCSV} ## ## echo "+ M118792 (3.3.3) Block Access To Insecure Network Services"|tee -a ${TMP} # Start Checking (loop) for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="NETAPP_${MPVER}_M118792_Block-Access-To-Insecure-Network-Services" CSV_FindingID="Block-Access-To-Insecure-Network-Services" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118792 rsh.enable=off telnet.enable=off ftpd.enable=off ftpd.explicit.enable=off tftpd.enable=off httpd.enable=off !EOF CHECK_FILER_OPTIONS ${FILER} "M118792" ROUTED="`${SSH} ${FILER} 'rdfile /etc/rc'|grep routed|awk '{print $2}'`" if [ "${ROUTED}" != "off" ]; then echo "${FILER} routed (/etc/rc) is ${ROUTED}. Must be off"|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 fi if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "+ M118741 (3.3.4) Setup And Use Siemens Signed Certificates"|tee -a ${TMP} # Start Checking (loop) for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="NETAPP_${MPVER}_M118741_Setup-And-Use-Siemens-Signed-Certificates" CSV_FindingID="Setup-And-Use-Siemens-Signed-Certificates" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" # Check secureadmin status is ssl is active # Check for 'rdfile /etc/keymgr/csr/secureadmin.pem' and mark when there WARNCNT=0 TTLCNT=0 CSV_FindingID="secureadmin-active" SSL_STATUS="`${SSH} ${FILER} 'secureadmin status'|grep ssl|awk -F\- '{print $2}'`" if [ "${SSL_STATUS}" != " active" ]; then echo "${FILER} (secureadmin) ssl NOT active. Must be active"|tee -a ${TMP} CSV_ScanStatus="true" CSV_Finding="not active. Must be active." CSV_AppAttributes="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 else CSV_ScanStatus="false" CSV_FindingID="" CSV_Finding="" if [ ${VERBOSE} ]; then CSV_ProofName="${OPTION}=${VALUE}" else CSV_ProofName="" fi echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi CSV_FindingID="secureadmin.pem" ${SSH} ${FILER} 'rdfile /etc/keymgr/csr/secureadmin.pem' > /dev/null EC=${?} if [ ${EC} -ne 0 ]; then echo "${FILER} (key-file) /etc/keymgr/csr/secureadmin.pem NOT found"|tee -a ${TMP} CSV_ScanStatus="true" CSV_Finding="/etc/keymgr/csr/secureadmin.pem not found. Must be found." CSV_AppAttributes="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 else CSV_ScanStatus="false" CSV_FindingID="" CSV_Finding="" if [ ${VERBOSE} ]; then CSV_ProofName="${OPTION}=${VALUE}" else CSV_ProofName="" fi echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "+ M118272 (3.3.5) Disable SSL And Configure TLS"|tee -a ${TMP} # Start Checking (loop) for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="NETAPP_${MPVER}_M118272_Disable-SSL-And-Configure-TLS" CSV_FindingID="Disable-SSL-And-Configure-TLS" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118272 ssl.enable=off ssl.v2.enable=off ssl.v3.enable=off tls.enable=on httpd.admin.ssl.enable=on !EOF CHECK_FILER_OPTIONS ${FILER} "M118272" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "+ M118304 (3.3.6) Disable Insecure Secure Shell (SSH) Settings"|tee -a ${TMP} # Start Checking (loop) for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="NETAPP_${MPVER}_M118304_Disable-Insecure-Secure-Shell-(SSH)-Settings" CSV_FindingID="Disable-Insecure-Secure-Shell-(SSH)-Settings" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118304 ssh1.enable=off ssh2.enable=on ssh.passwd_auth.enable=off ssh.pubkey_auth.enable=on telnet.distinct.enable=on !EOF CHECK_FILER_OPTIONS ${FILER} "M118304" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "+ M118360 (3.3.7) Disable SNMP Versions 1 & 2 And Secure SNMP Version 3"|tee -a ${TMP} # Start Checking (loop) for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="NETAPP_${MPVER}_M118360_Disable-SNMP-Versions-1-&-2-And-Secure-SNMP-Version-3" CSV_FindingID="Disable-SNMP-Versions-1-&-2-And-Secure-SNMP-Version-3" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" WARNCNT=0 TTLCNT=0 # snmp community should be empty CSV_FindingID="snmp-community" SNMP_COMM=`${SSH} ${FILER} 'snmp community'|head -1` if [ "${SNMP_COMM}" != "" ]; then CSV_ScanStatus="true" CSV_Finding="${SNMP_COMM}. Should be empty" CSV_AppAttributes="" CSV_ProofName="${CSV_FindingID}" echo "${FILER} snmp community should be empty. Is not (${SNMP_COMM})."|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 else CSV_ScanStatus="false" CSV_FindingID="" CSV_Finding="" CSV_AppAttributes="" if [ ${VERBOSE} ]; then CSV_ProofName="${OPTION}=${VALUE}" else CSV_ProofName="" fi fi echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} # useradmin role add (snmp_role) -a login-snmp # useradmin group add (snmp_group) -r snmp_role # useradmin user add (snmp_user) -g snmp_group # useradmin user add snmp_user -p Str0ngSNMPp@ssword -g snmp_group' CSV_FindingID="snmp-user" SNMP_USER=`${SSH} ${FILER} 'useradmin user list snmp_user'| grep '^Name:'|head -1|awk '{print $2}'` if [ "${SNMP_USER}" != "snmp_user" ]; then CSV_ScanStatus="true" CSV_Finding="${SNMP_USER}. snmp_user need to be added" CSV_AppAttributes="" CSV_ProofName="${CSV_FindingID}" let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 else CSV_ScanStatus="false" CSV_FindingID="" CSV_Finding="" CSV_AppAttributes="" let TTLCNT=${TTLCNT}+1 if [ ${VERBOSE} ]; then CSV_ProofName="${OPTION}=${VALUE}" else CSV_ProofName="" fi fi echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} CSV_FindingID="snmp-group" SNMP_GROUP=`${SSH} ${FILER} 'useradmin group list snmp_group'| grep '^Name:'|head -1|awk '{print $2}'` if [ "${SNMP_GROUP}" != "snmp_group" ]; then CSV_ScanStatus="true" CSV_Finding="${SNMP_GROUP}. snmp_group need to be added" CSV_AppAttributes="" CSV_ProofName="${CSV_FindingID}" let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 else CSV_ScanStatus="false" CSV_FindingID="" CSV_Finding="" CSV_AppAttributes="" let TTLCNT=${TTLCNT}+1 if [ ${VERBOSE} ]; then CSV_ProofName="${OPTION}=${VALUE}" else CSV_ProofName="" fi fi echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} CSV_FindingID="snmp-role" SNMP_ROLE=`${SSH} ${FILER} 'useradmin role list snmp_role'| grep '^Name:'|head -1|awk '{print $2}'` if [ "${SNMP_ROLE}" != "snmp_role" ]; then CSV_ScanStatus="true" CSV_Finding="${SNMP_ROLE}. snmp_role need to be added" CSV_AppAttributes="" CSV_ProofName="${CSV_FindingID}" let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 else CSV_ScanStatus="false" CSV_FindingID="" CSV_Finding="" CSV_AppAttributes="" if [ ${VERBOSE} ]; then CSV_ProofName="${OPTION}=${VALUE}" else CSV_ProofName="" fi let TTLCNT=${TTLCNT}+1 fi echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} CSV_FindingID="snmp-capabilities" SNMP_CAPA=`${SSH} ${FILER} 'useradmin role list snmp_role'| grep 'Capabilities:'|head -1|awk '{print $3}'` if [ "${SNMP_CAPA}" != "login-snmp" ]; then CSV_ScanStatus="true" CSV_Finding="${SNMP_CAPA}. login-snmp capabilities need to be added" CSV_AppAttributes="" CSV_ProofName="${CSV_FindingID}" let WARNCNT=${WARNCNT}+1 let TTLCNT=${TTLCNT}+1 else CSV_ScanStatus="false" CSV_FindingID="" CSV_Finding="" CSV_AppAttributes="" if [ ${VERBOSE} ]; then CSV_ProofName="${OPTION}=${VALUE}" else CSV_ProofName="" fi let TTLCNT=${TTLCNT}+1 fi echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "+ M118371 (3.3.8) Enable Command Line Session Time-Outs"|tee -a ${TMP} # Start Checking (loop) for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="NETAPP_${MPVER}_M118371_Enable-Command-Line-Session-Time-Outs" CSV_FindingID="Enable-Command-Line-Session-Time-Outs" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118371 autologout.console.enable=on autologout.console.timeout=300 ssh.idle.timeout=5 !EOF CHECK_FILER_OPTIONS ${FILER} "M118371" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "+ M118346 (3.3.9) Secure File System Access Using Active Directory Or Access Control Lists (ACLs)"|tee -a ${TMP} # Start Checking (loop) for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="NETAPP_${MPVER}_M118346_Secure-File-System-Access-Using-Active-Directory-Or-Access-Control-Lists-(ACLs)" CSV_FindingID="Secure-File-System-Access-Using-Active-Directory-Or-Access-Control-Lists-(ACLs)" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118346 wafl.default_qtree_mode=0775 !EOF CHECK_FILER_OPTIONS ${FILER} "M118346" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "+ M118580 (3.4.1) Change Default Account Passwords"|tee -a ${TMP} # Is a (7-mode) filer you can not see is a password has been changed. # Therefore we need to use a "trick", by creating an update file (/etc/log/root_pwd_change.log) # With : " root password changed" in it. # So check if date is placed at the 1st. (do not check how long ago) # Start Checking (loop) for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="NETAPP_${MPVER}_M118580_Change-Default-Account-Passwords" CSV_FindingID="Change-Default-Account-Passwords" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" WARNCNT=0 TTLCNT=0 CSV_FindingID="root-pwd-change-date" PWDCHANGEDATE="`${SSH} ${FILER} 'rdfile /etc/log/root_pwd_change.log'|awk '{print $1}'`" let TTLCNT=${TTLCNT}+1 if [ "${PWDCHANGEDATE}" = "" ]; then CSV_ScanStatus="true" CSV_Finding=". Must be: Changed & registered in /etc/log/root_pwd_change.log" CSV_AppAttributes="" echo "${FILER} root password has never been changed. Or registred in /etc/log/root_pwd_change.log"|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 else # echo " ${FILER} in /etc/log/root_pwd_change.log is date ${PWDCHANGEDATE}"|tee -a ${TMP} OLDDATE="`date --date='3 month ago' +%Y%m%d`" if [ ${PWDCHANGEDATE} -lt ${OLDDATE} ]; then CSV_ScanStatus="true" CSV_Finding="${PWDCHANGEDATE}. Must be: < 3 month." CSV_AppAttributes="" echo "${FILER} password date in /etc/log/root_pwd_change.log is too (3 month) old (${PWDCHANGEDATE}). Please change password and update /etc/log/root_pwd_change.log"|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 else CSV_ScanStatus="false" CSV_FindingID="" CSV_Finding="" CSV_AppAttributes="" echo " ${FILER} password date in /etc/log/root_pwd_change.log is OK (less then 3 month old) (${PWDCHANGEDATE})."|tee -a ${TMP} fi # -lt fi # PWDCHANGEDATE if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" fi # PING echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} done # FILER echo "+ M118885 (3.4.2) Delete Or Deactivate Unused Accounts"|tee -a ${TMP} for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="NETAPP_${MPVER}_M118885-Delete-Or-Deactivate-Unused-Accounts" CSV_FindingID="Delete-Or-Deactivate-Unused-Accounts" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" WARNCNT=0 TTLCNT=0 CSV_ScanStatus="not set" CSV_FindingID="user-list" # List all (active & inactive) accounts ${SSH} ${FILER} 'useradmin user list'|grep "Name:"|awk '{print $2}'|while read NAME REST do echo -n " "|tee -a ${TMP} ${SSH} ${FILER} "useradmin user list ${NAME}"|gawk 'BEGIN {RS=""} { t=0 while (++t<=NF) {printf "%s ", $t} printf "\n" }'file | tee -a ${TMP} CSV_Finding="Account=${NAME}" CSV_ProofName="Account=${NAME}" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} done # NAME else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "+ M118273 (3.4.3) Disable Anonymous Shares"|tee -a ${TMP} for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="M118273_Disable-Anonymous-Shares" CSV_FindingID="Disable-Anonymous-Shares" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" WARNCNT=0 TTLCNT=0 CSV_FindingID="Disable-Anonymous-Shares" # All options, from filer AND Vfiler, are checked upon their value # Options values cat << !EOF >> ${TMP}.options.M118273 cifs.restrict_anonymous=2 !EOF CHECK_FILER_OPTIONS ${FILER} "M118273" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "+ M118545 (3.5.1) Enable And Configure Logging"|tee -a ${TMP} for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="M118545_Enable-And-Configure-Logging" CSV_FindingID="Enable-And-Configure-Logging" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" CSV_FindingID="Disable-Anonymous-Shares" # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118545 auditlog.enable=on auditlog.max_file_size=10000000 !EOF CHECK_FILER_OPTIONS ${FILER} "M118545" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "+ M118270 (3.6.3) Restrict Host Access To Network Services"|tee -a ${TMP} for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="M118270_Restrict-Host-Access-To-Network-Services" CSV_FindingID="Restrict-Host-Access-To-Network-Services" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" CSV_FindingID="Restrict-Host-Access-To-Network-Services" # All options, from filer AND Vfiler, are checked upon their value # man na_protocolaccess # options protocol.access access_spec [ AND | OR [ ( ] access_spec [ ) ] ... ] # protocol is currently one of the following: rsh, telnet, ssh, httpd, httpd.admin, snmp, ndmpd, snapmirror, or snapvault. WARNCNT=0 TTLCNT=0 PROTOCOLS="rsh telnet ssh httpd httpd.admin snmp ndmpd snapmirror snapvault" for PROT in ${PROTOCOLS} do PROTSTATUS="`${SSH} ${FILER} \"options ${PROT}.enable\"|awk '{print $2}'`" CSV_ScanStatus="not set" if [ "${PROTSTATUS}" = "on" ]; then let TTLCNT=${TTLCNT}+1 # echo " ${FILER} ${PROT}=${PROTSTATUS}."|tee -a ${TMP} ACCESSSTATUS="`${SSH} ${FILER} \"options ${PROT}.access\"|awk '{print $2}'`" ACCESSHOSTS="`echo ${ACCESSSTATUS}|grep 'host='`" if [ "${ACCESSHOSTS}" = "" ]; then CSV_ScanStatus="true" CSV_FindingID="options ${PROT}.access" CSV_Finding="options ${PROT}=${PROTSTATUS}. But NO host= in options ${PROT}.access" echo "${FILER} options ${PROT}=${PROTSTATUS}. But NO host= in options ${PROT}.access (${ACCESSSTATUS})"|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 else CSV_ScanStatus="false" CSV_FindingID="" CSV_Finding="" echo " ${FILER} ${PROT}=${PROTSTATUS}. options ${ACCESSSTATUS} "|tee -a ${TMP} fi # ACCESSHOSTS else echo " ${FILER} ${PROT}=${PROTSTATUS}. So NO access check done."|tee -a ${TMP} CSV_ScanStatus="not set" CSV_FindingID="options ${PROT}.access" CSV_Finding="options ${PROT}=${PROTSTATUS}. So NO access check done." fi # PROTSTATUS echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} done # for if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "+ M118178 (3.6.4) Disable IPv6"|tee -a ${TMP} for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="M118178_Disable-IPv6" CSV_FindingID="Disable-IPv6" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" CSV_FindingID="Disable-IPv6" # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118178 ip.v6.enable=off httpd.ipv6.enable=off !EOF CHECK_FILER_OPTIONS ${FILER} "M118178" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "+ M118797 (3.7.1) Secure AutoSupport"|tee -a ${TMP} for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="M118797_Secure-AutoSupport" CSV_FindingID="Secure-AutoSupport" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" CSV_FindingID="Secure-AutoSupport" # All options, from filer AND Vfiler, are checked upon their value WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118797 autosupport.content=minimal autosupport.support.transport=https autosupport.validate_digital_certificate=on !EOF CHECK_FILER_OPTIONS ${FILER} "M118797" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER ## ### To be checked ### autosupport.support.url= ### autosupport.partner.to [,..., ] echo "+ M118148 (3.7.2) Protect Stored Data With Antivirus-Software"|tee -a ${TMP} for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="M118148_Protect-Stored-Data-With-Antivirus-Software" CSV_FindingID="Protect-Stored-Data-With-Antivirus-Software" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" CSV_FindingID="Protect-Stored-Data-With-Antivirus-Software" # Check if VFILER (multistore) is licensed MULTISTORE="`${SSH} ${FILER} license|grep multistore|awk '{print $2}'`" if [ "${MULTISTORE}" = "not" ]; then MULTISTORE="" else MULTISTORE=1 fi # MULTISTORE echo " MULTISTORE=${MULTISTORE}" | tee -a ${TMP} # For every system # - A virus scanner must be used (e.g., with a server connected via NetApp interface/API (offloading virus scanning to a separate server)) # - The virus signatures and the scanner itself must be kept up-to-date # - with CIFS file system: On-access virus scanning on all files stored within the system must be activated # - Only NetApp FlexVol volumes must be used because infinite volumes are not supported by the virus scanning vendors. WARNCNT=0 TTLCNT=0 # vscan enabled if [ ${MULTISTORE} ]; then ${SSH} ${FILER} 'vfiler status'|grep running |awk '{print $1}'|while read VFILER REST do CSV_ScanStatus="true" CSV_FindingID="${FILER}-${VFILER}-vscan-enabled" let TTLCNT=${TTLCNT}+1 SCANNING="`${SSH} ${FILER} \"vfiler run ${VFILER} vscan\"|grep scanning|grep disabled`" if [ "${SCANNING}" != "" ]; then CSV_ScanStatus="true" CSV_Finding="${FILER}-${VFILER} vscan is DISABLED. Should be enabled." echo "${FILER}-${VFILER} vscan is DISABLED. Should be enabled."|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 fi SCANNING="`${SSH} ${FILER} \"vfiler run ${VFILER} vscan\"|grep scanning|grep enabled`" if [ "${SCANNING}" != "" ]; then CSV_ScanStatus="false" CSV_FindingID="" CSV_Finding="" echo " ${FILER}/${VFILER} vscan is enabled"|tee -a ${TMP} fi done # VFILER else CSV_ScanStatus="true" CSV_FindingID="${FILER}-vscan-enabled" let TTLCNT=${TTLCNT}+1 SCANNING="`${SSH} ${FILER} \"vscan\"|grep scanning|grep disabled`" if [ "${SCANNING}" != "" ]; then CSV_ScanStatus="true" CSV_Finding="${FILER} vscan is DISABLED. Should be enabled." echo "${FILER} vscan is DISABLED. Should be enabled."|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 fi SCANNING="`${SSH} ${FILER} \"vscan\"|grep scanning|grep enabled`" if [ "${SCANNING}" != "" ]; then CSV_ScanStatus="false" CSV_FindingID="" CSV_Finding="" echo " ${FILER} vscan is enabled"|tee -a ${TMP} fi echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # MULTISTORE # flex volumes FVCNT=0 ${SSH} ${FILER} 'vol status'|grep online|awk '{print $1}'|while read VOL REST do CSV_ScanStatus="false" CSV_FindingID="" CSV_Finding="" let FVCNT=${FVCNT}+1 let TTLCNT=${TTLCNT}+1 FLEXVOL="`${SSH} ${FILER} \"vol status ${VOL}\"|grep flex`" if [ "${FLEXVOL}" = "" ]; then CSV_ScanStatus="true" CSV_FindingID="${FILER}-flex-volume" CSV_Finding="${FILER} ${VOL} is NO flex volume. Not allowed" CSV_ProofName="${CSV_FindingID}" echo "${FILER} ${VOL} is NO flex volume. Not allowed"|tee -a ${TMP} let WARNCNT=${WARNCNT}+1 fi # FLEXVOL echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} done # VOL echo " ${FILER} ${FVCNT} FlexVol's found."|tee -a ${TMP} if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "+ M118193 (3.7.3) Secure The Content Of Core Dumps"|tee -a ${TMP} for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="M118193_Secure-The-Content-Of-Core-Dumps" CSV_FindingID="Secure-The-Content-Of-Core-Dumps" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" CSV_ScanStatus="not set" CSV_Finding="This option is not available in 7-mode." echo " This option is not available in 7-mode."|tee -a ${TMP} echo "= 100 %" | tee -a ${TMP} echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "+ M118113 (3.7.4) Prevent Kerberos Passive Replay Attacks"|tee -a ${TMP} for FILER in `cat ${FILERS}|grep -v \^#|awk -F\; '{print $1}'|sort|grep "${FILTER}"` do echo "" | tee -a ${TMP} echo "* ${FILER}" | tee -a ${TMP} echo "`date` ${PGM}: ${FILER}."|tee -a $LOG CSV_ScanTarget="${FILER}" CSV_ScanTime=`date +%Y-%m-%d'T'%H:%M:%S` CSV_ScannedObject="M118113_Prevent-Kerberos-Passive-Replay-Attacks" CSV_FindingID="Prevent-Kerberos-Passive-Replay-Attacks" # Check connectivity of the filer ping -c 1 ${FILER} EC=${?} if [ ${EC} -eq 0 ]; then CSV_ScanSuccess="true" WARNCNT=0 TTLCNT=0 # Options values cat << !EOF >> ${TMP}.options.M118113 kerberos.replay_cache.enable=on !EOF CHECK_FILER_OPTIONS ${FILER} "M118113" if [ ${TTLCNT} -gt 0 ]; then let PERC="(${TTLCNT}-${WARNCNT})*100/${TTLCNT}" else let PERC="100" fi echo "= ${WARNCNT}/${TTLCNT} warnings = ${PERC} %" | tee -a ${TMP} else echo "`date` No connectivity (ping). EC=${EC}"|tee -a ${LOG} CSV_ScanSuccess="false" CSV_ScanStatus="" CSV_FindingID="" CSV_Finding="" echo "${CSV_SourceID};${CSV_ScanTime};${CSV_ScanTarget};${CSV_ScannedObject};${CSV_ScanSuccess};${CSV_ScanStatus};${CSV_FindingID};${CSV_Finding};${CSV_AppAttributes};${CSV_Customer};${CSV_ScanEngineName};${CSV_ScanEngineVersion};${CSV_ProofName};" >> ${TMPCSV} fi # PING done # FILER echo "#"|tee -a ${TMP} echo "# Output (${TXT}) from ${HOSTNAME} at `date +%Y-%m-%d_%H:%M:%S` of ${PGM} version ${VER}"|tee -a ${TMP} echo "# (etc)FILERS=${FILERS}, FILTER=${FILTER}, sentMAIL=${MAIL}, MAILTO=${MAILTO} MPF=${MAILPERFILER} "|tee -a ${TMP} echo "# Ready at `date`"|tee -a ${TMP} # save the "output"(tmp) file to .out cp ${TMP} /tmp/${PGM}.out # Cleanup Perl-script if [ -f filter_sap_itc_files.pl ]; then echo " Running ./filter_sap_itc_files.pl ${TMPCSV} /tmp/${PGM}.csv"|tee -a ${LOG} ./filter_sap_itc_files.pl ${TMPCSV} /tmp/${PGM}.csv else cp ${TMPCSV} /tmp/${PGM}.csv fi # Mail the info if [ ${MAIL} ]; then cp ${TMP} ${TXT} date|mailx -a ${TXT} -s ":${HOSTNAME}: Siemens M.P. security settings report (.TXT) at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VER}]" ${MAILTO} cp /tmp/${PGM}.csv ${CSV} date|mailx -a ${CSV} -s ":${HOSTNAME}: Siemens M.P. security settings output sheet (.CSV) at `date +%Y-%m-%d_%H:%M:%S` [${PGM} v${VER}]" ${MAILTO} echo "`date` ${PGM}: Mailed (.TXT & .CSV) to ${MAILTO}."|tee -a ${LOG} rm ${CSV} ${TXT} fi # if [ ${MAIL} ] cp ${TMP} /tmp/${PGM}.txt # Cleanup rm ${TMP} ${TMP}.options.M* ${TMP}.excludes ${WARN} ${TMPCSV} echo "`date` ${PGM} (v$VER) finished."|tee -a $LOG exit 0