def _set_password_config(self): common.backup("/etc/shadow") path = "/etc/login.defs" common.backup(path) params = { "PASS_MAX_DAYS": "365", "PASS_MIN_DAYS": "7", "PASS_WARN_AGE": "7" } common.change_parameters(path, params) # inactive password lock common.run("useradd -D -f 30") current_user = common.input_text("What is the current username") users = common.get_current_users() for user in users: if user == current_user: continue common.run_full("chage --lastday $(date +%Y/%m/%d) {}".format(user)) common.run("chage --maxdays 365 {}".format(user)) common.run("chage --mindays 7 {}".format(user)) common.run("chage --warndays 7 {}".format(user)) common.run("chage --inactive 30 {}".format(user)) common.run("passwd --expire {}".format(user))
def _set_shadow(self): # sets all system accounts to a no log on shell common.run_full("awk -F: '($1!=\"root\" && $1!=\"sync\" && $1!=\"shutdown\" && $1!=\"halt\" && $1!~/^\\+/ && $3<'\"$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs)\"' && $7!=\"'\"$(which nologin)\"'\" && $7!=\"/bin/false\") {print $1}' /etc/passwd | while read user; do usermod -s $(which nologin) $user; done") # locks all non root system accounts common.run_full("awk -F: '($1!=\"root\" && $1!~/^\\+/ && $3<'\"$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs)\"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!=\"L\" && $2!=\"LK\") {print $1}' | while read user; do usermod -L $user; done") # sets root group uid to 0 common.run("usermod -g 0 root")
def _check_shadow(self): # check passwords have been changed in the pass # TODO do this automatically cmd = "for usr in $(cut -d: -f1 /etc/shadow); do [[ $(chage --list $usr | grep '^Last password change' | cut -d: -f2) > $(date) ]] && echo \"$usr :$(chage --list $usr | grep '^Last password change' | cut -d: -f2)\"; done" output = common.run_full(cmd) if output != "": common.reminder("Ensure these are all in the past:\n" + str(output))
def execute(self): """Execute plugin.""" path = "/etc/ssh/sshd_config" if os.path.isfile(path): common.backup(path) else: common.info("{} not found, skipping SSH".format(path)) return # set correct permissions common.run("chown root:root {}".format(path)) common.run("chmod og-rwx {}".format(path)) # some fancy commands that ensure correct permissions on private keys common.run_full("find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:root {} \\;") common.run_full("find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod 0600 {} \\;") # some fancy commands that ensure correct permissions on public keys common.run_full("find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0644 {} \\;") common.run_full("find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \\;") params = { "Protocol": "2", "LogLevel": "VERBOSE", "X11Forwarding": "no", "MaxAuthTries": "4", "IgnoreRhosts": "yes", "HostbasedAuthentication": "no", "PermitRootLogin": "******", "PermitEmptyPasswords": "no", "PermitUserEnvironment": "no", "Ciphers": "[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr", "MACs": "[email protected],[email protected],hmac-sha2-512,hmac-sha2-256", "KexAlgorithms": "[email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256", "ClientAliveInterval": "300", "ClientAliveCountMax": "0", "LoginGraceTime": "60", "Banner": "/etc/issue.net", "UsePAM": "yes", "AllowTcpForwarding": "no", "maxstartups": "10:30:60", "MaxSessions": "4" } common.change_parameters(path, params) common.warn("Not doing anything about ssh access, (groups, users)")
def execute(self): """Sets Permissions on Important Files.""" common.set_permissions("/etc/passwd", "root", "root", "644") common.set_permissions("/etc/shadow", "root", "shadow", "o-rwx,g-wx") common.set_permissions("/etc/group", "root", "root", "644") common.set_permissions("/etc/gshadow", "root", "shadow", "o-rwx,g-rw") common.set_permissions("/etc/passwd-", "root", "root", "u-x,go-wx") common.set_permissions("/etc/shadow-", "root", "root", "o-rwx,g-rw") common.set_permissions("/etc/group-", "root", "root", "u-x,go-wx") common.set_permissions("/etc/gshadow-", "root", "root", "o-rwx,g-rw") reminder = "Check there are no rouge programs:\n" + common.run_full( "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000" ) common.reminder(reminder)
def execute(self): """Remove the packages.""" programs = _list_windows_programs() # As this will take lots of manual labour, ask if they would like to check each program. check = common.input_yesno( "Found {} programs. Would you like to manually check them".format( len(programs))) if check is False: return i = 0 for program in programs: i += 1 if program["UninstallString"] is None: common.warn( "The program '{}' (by '{}') cannot be automatically removed. If it is of concern please remove it manually." .format(program["DisplayName"], program["Publisher"])) continue if _check_whitelist(program): common.debug( "The program '{}' (by '{}') is being skipped as it is whitelisted." .format(program["DisplayName"], program["Publisher"])) continue keep = common.input_yesno( "({}/{}) Would you like to keep the program '{}' (by '{}')". format(i, len(programs), program["DisplayName"], program["Publisher"])) if not keep: common.run_full(program["UninstallString"]) common.debug("Removed packages!")
def _change_password(self, user, password): common.info("Changing password of {0} to {1}".format(user, password)) if "Linux" in plugin.get_os(): common.run_full("echo '{0}:{1}' | chpasswd".format(user, password)) elif "Windows" in plugin.get_os(): os.system("net user \"{}\" \"{}\"".format(user, password))