Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Hardening de Servidores Hp-ux
#!/usr/bin/ksh
# ### HP-UX Hardening Script ####
#
# _, _, _, _, _ __, __, _, ___ _ _, _ __,
# / ` | /_\ |\ | | \ |_ (_ | | |\ | |_
# \ , | , | | | \| |_/ | , ) | | | \| |
# ~ ~~~ ~ ~ ~ ~ ~ ~~~ ~ ~ ~ ~ ~ ~~~
###########################################
echo " 4.4 Adicionar mensagem de Atenção "
###########################################
banner=" TERMO DE RESPONSABILIDADE E COMPROMISSO SOBRE INFORMAÇÕES E USO DE RECURSOS COMPUTACIONAIS
#############################################################################################################################
."
echo "$banner" >> /etc/motd
echo "$banner" > /etc/issue
chown root:sys /etc/motd
chown root:root /etc/issue
chmod 644 /etc/motd /etc/issue
########################################################################################
echo "Utilizar o SSH (Secure Shell) como ferramenta de administração dos servidores"
########################################################################################
cd /opt/ssh/etc
cp -p sshd_config sshd_config.tmp
awk '
/^Protocol/
{ $2 = "2" };
/^X11Forwarding/
{ $2 = "yes" };
/^IgnoreRhosts/
{ $2 = "yes" };
/^RhostsAuthentication/
{ $2 = "no" };
/^RhostsRSAAuthentication/ { $2 = "no" };
/(^#|^)PermitRootLogin/
{
$1 = "PermitRootLogin";
$2 = "no" };
/^PermitEmptyPasswords/
{ $2 = "no" };
/^#Banner/
{
$1 = "Banner";
$2 = "/etc/issue" }
{ print }' sshd_config.tmp > sshd_config
rm -f sshd_config.tmp
chown root:sys ssh_config sshd_config
chmod go-w ssh_config sshd_config
#########################################################################################
echo " Serviços não utilizados do inet/xinet devem ser desabilitados ou removidos."
#########################################################################################
cd /etc
touch /var/adm/inetd.sec
for svc in echo discard daytime chargen dtspc \
exec ntalk finger uucp ident auth \
instl_boots registrar recserv; do
awk "(\$1 == \"$svc\") { \$1 = \"#\" \$1 }; {print}" \
inetd.conf > inetd.conf.new
cp inetd.conf.new inetd.conf
grep -E -q "^$svc[ ]+deny[ ]*$" /var/adm/inetd.sec \
|| echo "$svc deny" >> /var/adm/inetd.sec
done
for svc in rpc.rstatd rpc.rusersd rpc.rwalld \
rpc.sprayd rpc.cmsd kcms_server; do
awk "/\\/$svc/ { \$1 = \"#\" \$1 }; { print }" \
inetd.conf > inetd.conf.new
cp inetd.conf.new inetd.conf
done
for svc in printer shell login telnet ftp tftp \
bootps kshell klogin; do
awk "(\$1 == \"$svc\") { \$1 = \"#\" \$1 }; {print}" \
inetd.conf > inetd.conf.new
cp inetd.conf.new inetd.conf
grep -E -q "^$svc[ ]+deny[ ]*$" /var/adm/inetd.sec \
|| echo "$svc deny" >> /var/adm/inetd.sec
done
for svc in rpc.rquotad rpc.ttdbserver; do
awk "/^$svc\\// { \$1 = \"#\" \$1 }; { print }" \
/etc/inetd.conf > /etc/inetd.conf.new
cp inetd.conf.new inetd.conf
done
chown root:sys inetd.conf
chmod go-w,a-xs inetd.conf
rm -f /etc/inetd.conf.new
#####################################################
echo "Só permitir telnet se absolutamente necessário"
#####################################################
awk '/^#telnet/ {
$1 = "telnet"
print $0 " -b /etc/issue"; next}
{ print }
' inetd.conf > /etc/inetd.conf.new
cp inetd.conf.new inetd.conf
grep -Ev '^telnet[ ]+deny[ ]*$' \
/var/adm/inetd.sec > /var/adm/inetd.sec.new
cp /var/adm/inetd.sec.new /var/adm/inetd.sec
rm -f /etc/inetd.conf.new /etc/inetd.sec.new
######################################################
echo "Só permitir FTP se for absolutamente necessário"
######################################################
awk '
/^#ftp/ { $1 = "ftp"; print $0 "-l" ; next}
{ print }
' inetd.conf > inetd.conf.new
cp inetd.conf.new inetd.conf
grep -Ev '^ftp[ ]+deny[ ]*$' \
/var/adm/inetd.sec > /var/adm/inetd.sec.new
cp /var/adm/inetd.sec.new /var/adm/inetd.sec
rm -f /etc/inetd.conf.new /etc/inetd.sec.new
################################################################
echo "Só permitir rlogin/remsh/rcp se absolutamente necessário"
################################################################
sed 's/^#shell/shell/; s/^#login/login/' \
inetd.conf > inetd.conf.new
cp inetd.conf.new inetd.conf
grep -Ev '^(shell|login)[ ]+deny[ ]*$' \
/var/adm/inetd.sec > /var/adm/inetd.sec.new
cp /var/adm/inetd.sec.new /var/adm/inetd.sec
rm -f /etc/inetd.conf.new /etc/inetd.sec.new
####################################################
echo "Só permitir TFTP se absolutamente necessário"
####################################################
sed 's/^#tftp/tftp/' inetd.conf >inetd.conf.new
cp inetd.conf.new inetd.conf
grep -Ev '^tftp[ ]+deny[ ]*$' \
/var/adm/inetd.sec > /var/adm/inetd.sec.new
cp /var/adm/inetd.sec.new /var/adm/inetd.sec
rm -f /etc/inetd.conf.new /etc/inetd.sec.new
mkdir -p /var/opt/ignite
##############
echo "printer"
##############
sed 's/^#printer/printer/' inetd.conf >inetd.conf.new
cp inetd.conf.new inetd.conf
grep -Ev '^printer[ ]+deny[ ]*$' \
/var/adm/inetd.sec > /var/adm/inetd.sec.new
cp /var/adm/inetd.sec.new /var/adm/inetd.sec
rm -f /etc/inetd.conf.new /etc/inetd.sec.new
###################################################################
echo "Só permitir BOOTP / DHCP daemon se absolutamente necessário"
###################################################################
sed 's/^#bootps/bootps/' \
inetd.conf > inetd.conf.new
cp inetd.conf.new inetd.conf
grep -Ev '^bootps[ ]+deny[ ]*$' \
/var/adm/inetd.sec > /var/adm/inetd.sec.new
cp /var/adm/inetd.sec.new /var/adm/inetd.sec
rm -f /etc/inetd.conf.new /etc/inetd.sec.new
##################################################
echo "Desativar login: prompts em portas seriais"
##################################################
cp -p /etc/inittab /etc/inittab.tmp
sed 's/^[^#].*getty.*tty.*$/#&/' \
/etc/inittab.tmp > /etc/inittab
rm -f /etc/inittab.tmp
chown root:sys /etc/inittab
chmod go-w,ug-s /etc/inittab
############################################
echo "Desabilitar o login GUI, se possível"
############################################
ch_rc -a -p DESKTOP="" /etc/rc.config.d/desktop
chmod go-w,ug-s /usr/dt/bin/dtaction \
/usr/dt/bin/dtappgather /usr/dt/bin/dtprintinfo \
/usr/dt/bin/dtsession
##########################################
echo "desabilitar o sendmail se possivel"
##########################################
ch_rc -a -p SENDMAIL_SERVER=0 /etc/rc.config.d/mailservs
cd /var/spool/cron/crontabs
crontab -l >root.tmp
echo '0 * * * * /usr/lib/sendmail -q' >>root.tmp
crontab root.tmp
rm -f root.tmp
##############################################################
echo "Desativar agentes SNMP e OpenView"
#(Se o gerenciamento remoto ou monitoramento não é necessário)
##############################################################
cd /sbin/rc2.d
for file in S565OspfMib S941opcagt S570SnmpFddi
do mv -f $file .NO$file
done
ch_rc -a -p SNMP_HPUNIX_START=0 \
/etc/rc.config.d/SnmpHpunix
ch_rc -a -p SNMP_MASTER_START=0 \
/etc/rc.config.d/SnmpMaster
ch_rc -a -p SNMP_MIB2_START=0 \
/etc/rc.config.d/SnmpMib2
ch_rc -a -p SNMP_TRAPDEST_START=0 \
/etc/rc.config.d/SnmpTrpDst
################################################
echo "Desativar outros serviços de boot padrão"
################################################
ch_rc -a -p START_SNAPLUS=0 -p START_SNANODE=0 \
-p START_SNAINETD=0 /etc/rc.config.d/snaplus2
ch_rc -a -p MROUTED=0 -p RWHOD=0 \-p DDFA=0 \
-p START_RBOOTD=0 /etc/rc.config.d/netdaemons
ch_rc -a -p DCE_KRPC=0 -p DFS_CORE=0 -p DFS_CLIENT=0 \
-p DFS_SERVER=0 -p DFS_EPISODE=0 -p EPIINIT=0 \
-p DFSEXPORT=0 -p BOSSERVER=0 -p DFSBIND=0 \
-p FXD=0 -p MEMCACHE=0 -p DFSGWD=0 \
-p DISKCACHEFORDFS=0 /etc/rc.config.d/dfs
ch_rc -a -p RARPD=0 -p RDPD=0 /etc/rc.config.d/netconf
ch_rc -a -p PTYDAEMON_START=0 /etc/rc.config.d/ptydaemon
ch_rc -a -p VTDAEMON_START=0 /etc/rc.config.d/vt
ch_rc -a -p NAMED=0 /etc/rc.config.d/namesvrs
ch_rc -a -p PEER_SNMPD_START=0 \
/etc/rc.config.d/peer.snmpd
ch_rc -a -p START_I4LMD=0 /etc/rc.config.d/i4lmd
ch_rc -a -p RUN_X_FONT_SERVER=0 /etc/rc.config.d/xfs
ch_rc -a -p AUDIO_SERVER=0 /etc/rc.config.d/audio
ch_rc -a -p SLSD_DAEMON=0 /etc/rc.config.d/slsd
ch_rc -a -p RUN_SAMBA=0 /etc/rc.config.d/samba
ch_rc -a -p RUN_CIFSCLIENT=0 \
/etc/rc.config.d/cifsclient
ch_rc -a -p NFS_SERVER=0 \
-p NFS_CLIENT=0 /etc/rc.config.d/nfsconf
ch_rc -a -p NS_FTRACK=0 /etc/rc.config.d/ns-ftrack
ch_rc -a -p APACHE_START=0 /etc/rc.config.d/apacheconf
mv -f /sbin/rc2.d/S400nfs.core \
/sbin/rc2.d/.NOS400nfs.core
ch_rc -a -p RUN_SAMBA=0 /etc/rc.config.d/samba
ch_rc -a -p RUN_CIFSCLIENT=0 \
/etc/rc.config.d/cifsclient
ch_rc -a -p NFS_SERVER=0 \
-p NFS_CLIENT=0 /etc/rc.config.d/nfsconf
ch_rc -a -p NS_FTRACK=0 /etc/rc.config.d/ns-ftrack
ch_rc -a -p APACHE_START=0 /etc/rc.config.d/apacheconf
mv -f /sbin/rc2.d/S400nfs.core \
/sbin/rc2.d/.NOS400nfs.core
##########
echo "nfs"
##########
ch_rc -a -p NFS_SERVER=1 /etc/rc.config.d/nfsconf
# ch_rc -a -p NFS_CLIENT=1 /etc/rc.config.d/nfsconf
######################################
echo "configuração de servidores web"
######################################
ch_rc -a -p NS_FTRACK=1 /etc/rc.config.d/ns-ftrack
ch_rc -a -p APACHE_START=1 /etc/rc.config.d/apacheconf
ch_rc -a -p HPWS_APACHE32_START=1
/etc/rc.config.d/hpws_apache32conf
ch_rc -a -p HPWS_TOMCAT_START=1
/etc/rc.config.d/hpws_tomcatconf
ch_rc -a -p NS_FTRACK=1 /etc/rc.config.d/ns-ftrack
ch_rc -a -p HPWS_WEBMIN_START=1
/etc/rc.config.d/hpws_webminconf
######################
echo "kernel tunning"
######################
kctune -K executable_stack=0
#Action (older HP-UX 11i releases):
#/usr/sbin/kmtune -s executable_stack=0 &&
#mk_kernel &&
#kmupdate
#####################################################################
echo " Alterar as configurações de rede utilizadas pelo Kernel"
#####################################################################
cd /etc/rc.config.d
cat <<EOF > nddconf
# Increase size of half-open connection queue
TRANSPORT_NAME[0]=tcp
NDD_NAME[0]=tcp_syn_rcvd_max
NDD_VALUE[0]=4096
# Reduce timeouts on ARP cache
TRANSPORT_NAME[1]=arp
NDD_NAME[1]=arp_cleanup_interval
NDD_VALUE[1]=60000
# Drop source-routed packets
TRANSPORT_NAME[2]=ip
NDD_NAME[2]=ip_forward_src_routed
NDD_VALUE[2]=0
# Don't forward directed broadcasts
TRANSPORT_NAME[3]=ip
NDD_NAME[3]=ip_forward_directed_broadcasts
NDD_VALUE[3]=0
# Don't respond to unicast ICMP timestamp requests
TRANSPORT_NAME[4]=ip
NDD_NAME[4]=ip_respond_to_timestamp
NDD_VALUE[4]=0
# Don't respond to broadcast ICMP tstamp reqs
TRANSPORT_NAME[5]=ip
NDD_NAME[5]=ip_respond_to_timestamp_broadcast
NDD_VALUE[5]=0
# Don't respond to ICMP address mask requests
TRANSPORT_NAME[6]=ip
NDD_NAME[6]=ip_respond_to_address_mask_broadcast
NDD_VALUE[6]=0
# Don’t respond to broadcast echo requests
TRANSPORT_NAME[7]=ip
NDD_NAME[7]=ip_respond_to_echo_broadcast
NDD_VALUE[7]=0
EOF
chown root:sys nddconf
chmod go-w,ug-s nddconf
#############################################################
echo "Confirmar as permissões em arquivos de log do sistema"
#############################################################
awk < /etc/syslog.conf '
$0 !~ /^#/ && $2 ~ "^/" {
print $2
}
' | sort -u | while read file
do if [ -d "$file" -o -c "$file" -o \
-b "$file" -o -p "$file" ]
then
:
elif [ ! -f "$file" ]
then
mkdir -p "$(dirname "$file")"
touch "$file"
chmod 640 "$file"
else
chmod o-w "$file"
fi
done
hostname=`uname -n`
chmod o-w \
/tmp/snmpd.log \
/var/X11/Xserver/logs/X0.log \
/var/X11/Xserver/logs/X1.log \
/var/X11/Xserver/logs/X2.log \
/var/adm/automount.log \
/var/adm/snmpd.log \
/var/opt/dce/svc/error.log \
/var/opt/dce/svc/fatal.log \
/var/opt/dce/svc/warning.log \
/var/opt/dde/dde_error_log \
/var/opt/hppak/hppak_error_log \
/var/opt/ignite/logs/makrec.log1 \
/var/opt/ignite/recovery/fstab \
/var/opt/ignite/recovery/group.makrec \
/var/opt/ignite/recovery/passwd.makrec \
/var/opt/resmon/log \
/var/opt/scr/log/scrlog.log \
/var/opt/scr/log/scrlog.old \
/var/sam/hpbottom.dion \
/var/sam/hpbottom.iout \
/var/sam/hpbottom.iout.old \
"/var/sam/$hostname.dion" \
"/var/sam/$hostname.iout" \
"/var/sam/$hostname.iout.old" \
/var/sam/lock \
/var/sam/log/samlog \
/var/sam/log/sam_tm_work \
/var/adm/sw \
/var/adm/sw/save \
/var/adm/sw/patch
########################################
echo "Definir sticky bit em diretórios"
########################################
find / \( -fstype nfs -o -fstype cifs -o \
-fstype cachefs \) -prune -o -type d -a \( -perm -0002 \
-a ! -perm -1000 \) –print
##########################
echo "Desabilitar XDMCP"
##########################
if [ ! -f /etc/dt/config/Xconfig ]; then
mkdir -p /etc/dt/config
cp -p /usr/dt/config/Xconfig /etc/dt/config
fi
cd /etc/dt/config
awk '/Dtlogin.requestPort:/ \
{ print "Dtlogin.requestPort: 0"; next }
{ print }' Xconfig > Xconfig.new
cp Xconfig.new Xconfig
rm -f Xconfig.new
###################################
echo "locking screensaver timeout"
###################################
for file in /usr/dt/config/*/sys.resources; do
dir="$(dirname "$file" | sed 's|^/usr/|/etc/|')"
mkdir -p "$dir"
echo 'dtsession*saverTimeout: 10' >>"$dir/sys.resources"
echo 'dtsession*lockTimeout: 10' >>"$dir/sys.resources"
done
###########################
echo "configurando o inetd"
###########################
netblocks='<system-or-network> <system-or-network> ...'
awk < /etc/inetd.conf '
/^[ ]*(#|$)/ { next }
/^
/ { next }
/^rpc[ ]/ { services[$9]=1; next }
{ services[$1]=1; next }
END {
for(service in services) {
print service " allow '"$netblocks"'"
print service " deny"
}
}
' >> /var/adm/inetd.sec
#############################
echo " restringir o cron/at"
#############################
cd /var/adm/cron
rm -f cron.deny at.deny
echo root >cron.allow
echo root >at.allow
chown root:sys cron.allow at.allow
chmod 400 cron.allow at.allow
################################
echo " configurando o crontab "
################################
cd /var/spool/cron/crontabs
chown root:sys *
chmod 400 *
####################################################################
echo " Permitir login como root somente em um único terminal. "
####################################################################
echo console > /etc/securetty
chown root:sys /etc/securetty
chmod 600 /etc/securetty
##############################
echo "acesso seguro para RPC"
##############################
KEYSERV_OPTIONS="`sh -c '. /etc/rc.config.d/namesvrs ;
echo "$KEYSERV_OPTIONS"'`"
ch_rc -a -p KEYSERV_OPTIONS="-d $KEYSERV_OPTIONS " \
/etc/rc.config.d/namesvrs
##############
echo "system"
##############
for user in www sys smbnull iwww owww sshd \
hpsmh named uucp nuucp adm daemon bin lp \
nobody noaccess hpdb useradm; do
passwd –l "$user"
/usr/sbin/usermod -s /bin/false "$user"
if [[ "$(uname -r)" = B.10* ]]; then
/usr/lbin/modprpw -w "*" "$user"
else
/usr/lbin/modprpw -w "$user"
fi
done
######################################################################################
echo " Políticas de senhas devem estar conforme a norma de senhas e autenticação"
######################################################################################
logins -ox \
| awk -F: '($8 != "LK" && $1 != "root") { print $1 }' \
| while read logname; do
passwd –x 91 –n 7 –w 28 "$logname"
/usr/lbin/modprpw -m exptm=90,mintm=7,expwarn=30 \
"$logname"
done
echo PASSWORD_MAXDAYS=91 >> /etc/default/security
echo PASSWORD_MINDAYS=7 >> /etc/default/security
echo PASSWORD_WARNDAYS=28 >> /etc/default/security
/usr/lbin/modprdef -m exptm=90,mintm=7,expwarn=30
#########################
echo "verificar senhas "
#########################
ch_rc –a -p MIN_PASSWORD_LENGTH=7 /etc/default/security
ch_rc –a -p PASSWORD_HISTORY_DEPTH=10 \
/etc/default/security
ch_rc –a –p PASSWORD_MIN_UPPER_CASE_CHARS=1 \
/etc/default/security
ch_rc –a –p PASSWORD_MIN_DIGIT_CHARS=1 \
/etc/default/security
ch_rc –a –p PASSWORD_MIN_SPECIAL_CHARS=1 \
/etc/default/security
ch_rc –a –p PASSWORD_MIN_LOWER_CASE_CHARS=1 \
/etc/default/security
modprdef -m nullpw=NO
modprdef -m rstrpw=YES
#########################################################################
echo " Serviços desnecessários da inicialização devem ser removidos "
#########################################################################
logins -ox | cut -f6 -d: | while read h
do for file in "$h/.netrc" "$h/.rhosts" "$h/.shosts"
do if [ -f "$file" ]
then echo "removing $file"
rm -f "$file"
fi
done
done
#############################################################################################################
#echo " Usuários administradores não devem utilizar o usuário root para as tarefas do dia a dia"
#############################################################################################################
# Instalação do sudo
#http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1123, #http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111
##############################################
echo "Umask padrão definido para os usuários"
#############################################
cd /etc
for file in profile csh.login d.profile d.login
do echo umask 077 >> "$file"
done
ch_rc –a -p UMASK=077 /etc/default/security
echo " criando symlinks"
for file in /.rhosts /.shosts /etc/hosts.equiv /.netrc
do
rm -f $file
ln -s /dev/null $file
done
################################################################
echo " Colocar opção nodev em todos os pontos de montagem "
################################################################
cp -p /etc/fstab /etc/fstab.tmp
awk '
$0 ~ /^[\t ]*#/ \
|| $3 ~ /^(swap|ignore)$/ \
|| $2 ~ "^(swap$|/$|/usr($|/))" { print; next }
{
if($2 ~ "^/opt($|/)") {
if($4 !~ /(^|,)ro($|,)/) {
$4 = $4 ",ro"
}
sub(/(^|,)(rw|delaylog),/, ",", $4)
} else if ($4 !~ /(^|,)nosuid($|,)/) {
$4 = $4 ",nosuid"
sub(/(^|,)suid,/, ",", $4)
}
sub(/^(defaults,|,)/, "", $4)
print
}
' /etc/fstab.tmp >/etc/fstab
rm -f /etc/fstab.tmp
chmod a-wx,ug-s /etc/fstab
###############################
echo " remover compiladores "
swremove aCC gcc
##############################
# ### HP-UX Hardening Script ####
#
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.