def fix_1_5_1():
helper.replaceLine('/etc/security/limits.conf', '\* hard core',
'* hard core 0')
helper.replaceLine('/etc/sysctl.conf', 'fs.suid_dumpable =',
'fs.suid_dumpable = 0')
os.popen("sysctl -w fs.suid_dumpable=0")
def task_4_1_5(fixbug=False):
check = os.popen('grep identity /etc/audit/audit.rules').read()
check2 = os.popen('auditctl -l | grep identity').read()
line_1 = '-w /etc/group -p wa -k identity'
line_2 = '-w /etc/passwd -p wa -k identity'
line_3 = '-w /etc/gshadow -p wa -k identity'
line_4 = '-w /etc/shadow -p wa -k identity'
line_5 = '-w /etc/security/opasswd -p wa -k identity'
filePath = '/etc/audit/audit.rules'
if (re.search(line_1, check) and re.search(line_2, check)
and re.search(line_3, check) and re.search(line_4, check)
and re.search(line_5, check) and re.search(line_1, check2)
and re.search(line_2, check2) and re.search(line_3, check2)
and re.search(line_4, check2) and re.search(line_5, check2)):
return True
else:
if (fixbug == True):
helper.replaceLine(filePath, line_1, line_1)
helper.replaceLine(filePath, line_2, line_2)
helper.replaceLine(filePath, line_3, line_3)
helper.replaceLine(filePath, line_4, line_4)
helper.replaceLine(filePath, line_5, line_5)
os.popen("systemctl reload auditd")
return False
def fix_3_2_7():
helper.replaceLine('/etc/sysctl.conf', 'net\.ipv4\.conf\.all\.rp_filter',
'net.ipv4.conf.all.rp_filter = 1')
helper.replaceLine('/etc/sysctl.conf',
'net\.ipv4\.conf\.default\.rp_filter',
'net.ipv4.conf.default.rp_filter = 1')
os.popen("sysctl -w net.ipv4.conf.all.rp_filter=1")
os.popen("sysctl -w net.ipv4.conf.default.rp_filter=1")
os.popen("sysctl -w net.ipv4.route.flush=1")
def fix_3_3_1():
helper.replaceLine('/etc/sysctl.conf', 'net\.ipv6\.conf\.all\.accept_ra',
'net.ipv6.conf.all.accept_ra = 0')
helper.replaceLine('/etc/sysctl.conf',
'net\.ipv6\.conf\.default\.accept_ra',
'net.ipv6.conf.default.accept_ra = 0')
os.popen("sysctl -w net.ipv6.conf.all.accept_ra=0")
os.popen("sysctl -w net.ipv6.conf.default.accept_ra=0")
os.popen("sysctl -w net.ipv6.route.flush=1")
def fix_3_2_1():
helper.replaceLine('/etc/sysctl.conf',
'net\.ipv4\.conf\.all\.accept_source_route',
'net.ipv4.conf.all.accept_source_route = 0')
helper.replaceLine('/etc/sysctl.conf',
'net\.ipv4\.conf\.default\.accept_source_route',
'net.ipv4.conf.default.accept_source_route = 0')
os.popen("sysctl -w net.ipv4.conf.all.accept_source_route=0")
os.popen("sysctl -w net.ipv4.conf.default.accept_source_route=0")
os.popen("sysctl -w net.ipv4.route.flush=1")
def fix_3_2_4():
helper.replaceLine('/etc/sysctl.conf',
'net\.ipv4\.conf\.all\.log_martians',
'net.ipv4.conf.all.log_martians = 1')
helper.replaceLine('/etc/sysctl.conf',
'net\.ipv4\.conf\.default\.log_martians',
'net.ipv4.conf.default.log_martians = 1')
os.popen("sysctl -w net.ipv4.conf.all.log_martians=1")
os.popen("sysctl -w net.ipv4.conf.default.log_martians=1")
os.popen("sysctl -w net.ipv4.route.flush=1")
def fix_3_1_2():
helper.replaceLine('/etc/sysctl.conf',
'net\.ipv4\.conf\.all\.send_redirects',
'net.ipv4.conf.all.send_redirects = 0')
helper.replaceLine('/etc/sysctl.conf',
'net\.ipv4\.conf\.default\.send_redirects',
'net.ipv4.conf.default.send_redirects = 0')
os.popen("sysctl -w net.ipv4.conf.all.send_redirects=0")
os.popen("sysctl -w net.ipv4.conf.default.send_redirects=0")
os.popen("sysctl -w net.ipv4.route.flush=1")
def fix_1_7_2():
helper.replaceLine('/etc/gdm3/greeter.dconf-defaults',
'banner-message-enable=', 'banner-message-enable=true')
check = os.popen(
'grep banner-message-text /etc/gdm3/greeter.dconf-defaults').read()
if (check == '' and not re.search("^[^#]?banner-message-text", check)):
helper.replaceLine(
'/etc/gdm3/greeter.dconf-defaults', 'banner-message-text=',
"banner-message-text='Authorized uses only. All activity may be monitored and reported.'"
)
def task_4_1_16(fixbug=False):
check = os.popen('grep actions /etc/audit/audit.rules').read()
check2 = os.popen('auditctl -l | grep actions').read()
line_1 = '-w /var/log/sudo.log -p wa -k actions'
filePath = '/etc/audit/audit.rules'
if (re.search(line_1, check) and re.search(line_1, check2)):
return True
else:
if (fixbug == True):
helper.replaceLine(filePath, line_1, line_1)
os.popen("systemctl reload auditd")
return False
def task_4_1_15(fixbug=False):
check = os.popen('grep scope /etc/audit/audit.rules').read()
check2 = os.popen('auditctl -l | grep scope').read()
line_1 = '-w /etc/sudoers -p wa -k scope'
line_2 = '-w /etc/sudoers.d/ -p wa -k scope'
filePath = '/etc/audit/audit.rules'
if (re.search(line_1, check) and re.search(line_2, check)
and re.search(line_1, check2) and re.search(line_2, check2)):
return True
else:
if (fixbug == True):
helper.replaceLine(filePath, line_1, line_1)
helper.replaceLine(filePath, line_2, line_2)
os.popen("systemctl reload auditd")
return False
def task_4_1_7(fixbug=False):
dpkg_apparmor = os.popen("dpkg -s apparmor").read()
check = os.popen('grep MAC-policy /etc/audit/audit.rules').read()
check2 = os.popen('auditctl -l | grep MAC-policy').read()
check_apparmor_1 = '-w /etc/apparmor/ -p wa -k MAC-policy'
check_apparmor_2 = '-w /etc/apparmor.d/ -p wa -k MAC-policy'
check_selinux_1 = '-w /etc/selinux/ -p wa -k MAC-policy'
check_selinux_2 = '-w /usr/share/selinux/ -p wa -k MAC-policy'
filePath = '/etc/audit/audit.rules'
if (re.search("Status[a-zA-Z\s:]+install[a-zA-Z\s]+ok[a-zA-Z\s]+installed",
dpkg_apparmor)):
if (re.search(check_apparmor_1, check)
and re.search(check_apparmor_2, check)
and re.search(check_apparmor_1, check2)
and re.search(check_apparmor_2, check2)):
return True
else:
if (fixbug == True):
helper.replaceLine(filePath, check_apparmor_1,
check_apparmor_1)
helper.replaceLine(filePath, check_apparmor_2,
check_apparmor_2)
os.popen("systemctl reload auditd")
return False
else:
dpkg_selinux = os.popen("dpkg -s selinux").read()
if (re.search(
"Status[a-zA-Z\s:]+install[a-zA-Z\s]+ok[a-zA-Z\s]+installed",
dpkg_selinux)):
if (re.search(check_selinux_1, check)
and re.search(check_selinux_2, check)
and re.search(check_selinux_1, check2)
and re.search(check_selinux_2, check2)):
return True
else:
if (fixbug == True):
helper.replaceLine(filePath, check_selinux_1,
check_selinux_1)
helper.replaceLine(filePath, check_selinux_2,
check_selinux_2)
os.popen("systemctl reload auditd")
return False
return True
def fix_4_1_1_2():
helper.replaceLine('/etc/audit/auditd.conf', 'space_left_action',
'space_left_action = email')
helper.replaceLine('/etc/audit/auditd.conf', 'action_mail_acct',
'action_mail_acct = root')
helper.replaceLine('/etc/audit/auditd.conf', 'admin_space_left_action',
'admin_space_left_action = halt')
def task_4_1_14(fixbug=False):
ubuntu, after = os.popen('getconf LONG_BIT').read().split('\n')
filePath = '/etc/audit/audit.rules'
check = os.popen('grep delete /etc/audit/audit.rules').read()
check2 = os.popen('auditctl -l | grep delete').read()
check_32_line_1 = '-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
check_64_line_1 = '-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
if (ubuntu == '32'):
if (re.search(check_32_line_1, check)
and re.search(check_32_line_1, check2)):
return True
else:
if (fixbug == True):
helper.replaceLine(filePath, check_32_line_1, check_32_line_1)
os.popen("systemctl reload auditd")
return False
elif (ubuntu == '64'):
if (re.search(check_32_line_1, check)
and re.search(check_32_line_1, check2)
and re.search(check_64_line_1, check)
and re.search(check_64_line_1, check2)):
return True
else:
if (fixbug == True):
helper.replaceLine(filePath, check_32_line_1, check_32_line_1)
helper.replaceLine(filePath, check_64_line_1, check_64_line_1)
os.popen("systemctl reload auditd")
return False
return True
def task_4_1_9(fixbug=False):
check = os.popen('grep session /etc/audit/audit.rules').read()
check2 = os.popen('auditctl -l | grep session').read()
line_session = '-w /var/run/utmp -p wa -k session'
filePath = '/etc/audit/audit.rules'
check3 = os.popen('grep logins /etc/audit/audit.rules').read()
check4 = os.popen('auditctl -l | grep logins').read()
line_login_1 = '-w /var/log/wtmp -p wa -k logins'
line_login_2 = '-w /var/log/btmp -p wa -k logins'
if (re.search(line_session, check) and re.search(line_session, check2)
and re.search(line_login_1, check3)
and re.search(line_login_2, check3)
and re.search(line_login_1, check4)
and re.search(line_login_2, check4)):
return True
else:
if (fixbug == True):
helper.replaceLine(filePath, line_session, line_session)
helper.replaceLine(filePath, line_login_1, line_login_1)
helper.replaceLine(filePath, line_login_2, line_login_2)
os.popen("systemctl reload auditd")
return False
def fix_2_2_1_2():
helper.replaceLine(
'/etc/ntp.conf', '^restrict -4',
'restrict -4 default kod nomodify notrap nopeer noquery')
helper.replaceLine(
'/etc/ntp.conf', '^restrict -6',
'restrict -6 default kod nomodify notrap nopeer noquery')
helper.replaceLine('/etc/init.d/ntp', 'RUNASUSER='******'RUNASUSER=ntp')
check_egrep = os.popen('egrep "^(server|pool)" /etc/ntp.conf').read()
if (check_egrep == ''):
with open('/etc/ntp.conf', 'a+') as file:
file.writelines('\npool 0.ubuntu.pool.ntp.org iburst')
file.writelines('\npool 1.ubuntu.pool.ntp.org iburst')
file.writelines('\npool 2.ubuntu.pool.ntp.org iburst')
file.writelines('\npool 3.ubuntu.pool.ntp.org iburst')
file.writelines('\npool ntp.ubuntu.com')
def task_4_1_8(fixbug=False):
check = os.popen('grep logins /etc/audit/audit.rules').read()
check2 = os.popen('auditctl -l | grep logins').read()
line_1 = '-w /var/log/faillog -p wa -k logins'
line_2 = '-w /var/log/lastlog -p wa -k logins'
line_3 = '-w /var/log/tallylog -p wa -k logins'
filePath = '/etc/audit/audit.rules'
if (re.search(line_1, check) and re.search(line_2, check)
and re.search(line_3, check) and re.search(line_1, check2)
and re.search(line_2, check2) and re.search(line_3, check2)):
return True
else:
if (fixbug == True):
helper.replaceLine(filePath, line_1, line_1)
helper.replaceLine(filePath, line_2, line_2)
helper.replaceLine(filePath, line_3, line_3)
os.popen("systemctl reload auditd")
return False
def fix_3_2_8():
helper.replaceLine('/etc/sysctl.conf', 'net\.ipv4\.tcp_syncookies',
'net.ipv4.tcp_syncookies = 1')
os.popen("sysctl -w net.ipv4.tcp_syncookies=1")
os.popen("sysctl -w net.ipv4.route.flush=1")
def fix_3_1_1():
helper.replaceLine('/etc/sysctl.conf', 'net\.ipv4\.ip_forward',
'net.ipv4.ip_forward = 0')
os.popen("sysctl -w net.ipv4.ip_forward=0")
os.popen("sysctl -w net.ipv4.route.flush=1")
def fix_3_2_6():
helper.replaceLine('/etc/sysctl.conf',
'net\.ipv4\.icmp_ignore_bogus_error_responses',
'net.ipv4.icmp_ignore_bogus_error_responses = 1')
os.popen("sysctl -w net.ipv4.route.flush=1")
def fix_3_2_5():
helper.replaceLine('/etc/sysctl.conf',
'net\.ipv4\.icmp_echo_ignore_broadcasts',
'net.ipv4.icmp_echo_ignore_broadcasts = 1')
os.popen("sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1")
os.popen("sysctl -w net.ipv4.route.flush=1")
def fix_5_2_13():
helper.replaceLine('/etc/ssh/sshd_config', '^LoginGraceTime',
'LoginGraceTime 60')
def fix_2_2_15():
helper.replaceLine('/etc/postfix/main.cf', 'inet_interfaces',
'inet_interfaces = loopback-only')
os.popen("systemctl restart postfix")
def fix_5_2_15():
helper.replaceLine('/etc/ssh/sshd_config', '^Banner',
'Banner /etc/issue.net')
def fix_5_3_1():
os.popen("apt-get install libpam-pwquality -y")
helper.replaceLine('/etc/pam.d/common-password', 'pam_pwquality.so',
'password requisite pam_pwquality.so retry=3')
helper.replaceLine('/etc/security/pwquality.conf', '^minlen',
'minlen = 14')
helper.replaceLine('/etc/security/pwquality.conf', '^dcredit',
'dcredit = -1')
helper.replaceLine('/etc/security/pwquality.conf', '^lcredit',
'ucredit = -1')
helper.replaceLine('/etc/security/pwquality.conf', '^ocredit',
'ocredit = -1')
helper.replaceLine('/etc/security/pwquality.conf', '^ucredit',
'ocredit = -1')
def fix_5_3_3():
helper.replaceLine('/etc/pam.d/common-password',
'^password\s+required\s+pam_pwhistory.so',
'password required pam_pwhistory.so remember=5')
def fix_5_3_2():
helper.replaceLine(
'/etc/pam.d/common-auth', 'pam_tally2',
'auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900'
)
def fix_3_3_3():
helper.replaceLine('/etc/default/grub', 'GRUB_CMDLINE_LINUX',
'GRUB_CMDLINE_LINUX="ipv6.disable=1"')
os.popen("update-grub")
def fix_5_4_4():
helper.replaceLine('/etc/bash.bashrc', 'umask', 'umask 027')
def fix_5_3_4():
helper.replaceLine(
'/etc/pam.d/common-password',
'^password\s+(\S+\s+)+pam_unix\.so\s+(\S+\s+)*sha512',
'password [success=1 default=ignore] pam_unix.so sha512')
def fix_5_4_5():
helper.replaceLine('/etc/bash.bashrc', 'TMOUT', 'TMOUT=600')