This Bash script automates compliance checks based on CIS (Center for Internet Security) benchmarks for IBM AIX systems. It validates system configuration across seven major security domains and generates a consolidated report.
Primary Objectives:
Assess system hardening status
Identify misconfigurations
Assist in audit readiness
Provide actionable compliance results
Prerequisites:
OS: IBM AIX
Shell: Bash (/bin/bash)
Root or privileged access required
Logging & Result Classification:
Status Description
PASS Control meets CIS requirement
FAIL Control does not meet requirement
MANUAL Requires manual verification
Color Coding
Green → PASS
Red → FAIL
Yellow → MANUAL
CIS IBM AIX Compliance Script (Sections 1–7)
#!/bin/bash
# CIS IBM AIX Compliance Script (Sections 1–7)
# -------------------------------
# adminCtrlX
# -------------------------------
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# -------------------------------
# Logging & Counters
# -------------------------------
REPORT="/var/log/cis_aix_report.log"
> $REPORT
PASS=0
FAIL=0
MANUAL=0
log_pass() { echo -e "${GREEN}[PASS]${NC} $1" | tee -a $REPORT; ((PASS++)); }
log_fail() { echo -e "${RED}[FAIL]${NC} $1" | tee -a $REPORT; ((FAIL++)); }
log_manual() { echo -e "${YELLOW}[MANUAL]${NC} $1" | tee -a $REPORT; ((MANUAL++)); }
# -------------------------------
# Helper Functions
# -------------------------------
check_file_perm() {
local file=$1
local perm=$2
if [ ! -e "$file" ]; then
log_fail "$file does not exist"
return
fi
# AIX-compatible permission check
actual_perm=$(ls -l "$file" | awk '{k=0;for(i=1;i<=3;i++)k=k*8+((substr($1,i+1,1)~/[rwx]/)?(2^(3-i)):0);print k}')
[ "$actual_perm" == "$perm" ] && log_pass "$file permissions ($perm) correct" || log_fail "$file permissions ($actual_perm) incorrect, should be $perm"
}
check_service_disabled() {
local svc=$1
if lssrc -s "$svc" 2>/dev/null | grep -q "active"; then
log_fail "$svc is active"
else
log_pass "$svc disabled"
fi
}
check_package_installed() {
local pkg=$1
if lslpp -L 2>/dev/null | grep -q "^$pkg"; then
log_pass "$pkg installed"
else
log_fail "$pkg not installed"
fi
}
# -------------------------------
# SECTION 1 – Initial Setup
# -------------------------------
echo -e "${YELLOW}==== SECTION 1 – Initial Setup ====${NC}" | tee -a $REPORT
log_manual "Check AIX OS level, updates, and security patches (oslevel, instfix)"
# -------------------------------
# SECTION 2 – Services
# -------------------------------
echo -e "${YELLOW}==== SECTION 2 – Services ====${NC}" | tee -a $REPORT
services_to_disable=(autofs sendmail inetd ftp telnet tftp rpc rlogin rsh)
for svc in "${services_to_disable[@]}"; do
check_service_disabled "$svc"
done
# Cron and At services
check_service_disabled "cron"
check_service_disabled "atd"
# -------------------------------
# SECTION 3 – Network
# -------------------------------
echo -e "${YELLOW}==== SECTION 3 – Network ====${NC}" | tee -a $REPORT
check_service_disabled "bluetooth"
log_manual "Verify wireless interfaces manually (if any exist)"
log_manual "Check IPv6 configuration manually (lsattr -El inet0)"
log_manual "Check IP forwarding, packet redirects, ICMP settings in /etc/rc.tcpip and via 'no' command"
# -------------------------------
# SECTION 4 – Host-Based Firewall
# -------------------------------
echo -e "${YELLOW}==== SECTION 4 – Host-Based Firewall ====${NC}" | tee -a $REPORT
check_service_disabled "ipfilter"
check_service_disabled "iptables"
log_manual "Ensure firewall rules configured via ipsec/iptables/ipfilter"
# -------------------------------
# SECTION 5 – Access Control
# -------------------------------
echo -e "${YELLOW}==== SECTION 5 – Access Control ====${NC}" | tee -a $REPORT
ssh_config="/etc/ssh/sshd_config"
if [ -f "$ssh_config" ]; then
grep -q "^PermitRootLogin no" "$ssh_config" && log_pass "SSH root login disabled" || log_fail "SSH root login not disabled"
check_file_perm "$ssh_config" "600"
else
log_fail "$ssh_config does not exist"
fi
check_package_installed "sudo"
log_manual "Check PAM configuration, password policies, and account lockout manually"
# User accounts with empty passwords
if awk -F: '($2=="") {exit 1}' /etc/passwd; then
log_pass "No empty passwords"
else
log_fail "Some accounts have empty passwords"
fi
# -------------------------------
# SECTION 6 – Logging and Auditing
# -------------------------------
echo -e "${YELLOW}==== SECTION 6 – Logging and Auditing ====${NC}" | tee -a $REPORT
check_package_installed "audit"
if lssrc -s auditd 2>/dev/null | grep -q "active"; then
log_pass "auditd enabled"
else
log_fail "auditd disabled"
fi
log_manual "Verify AIDE or Tripwire installation and integrity checks"
if lssrc -s syslogd 2>/dev/null | grep -q "active"; then
log_pass "syslogd enabled"
else
log_fail "syslogd disabled"
fi
# -------------------------------
# SECTION 7 – System Maintenance
# -------------------------------
echo -e "${YELLOW}==== SECTION 7 – System Maintenance ====${NC}" | tee -a $REPORT
declare -A files=(
["/etc/passwd"]="644"
["/etc/passwd.adj"]="644"
["/etc/group"]="644"
["/etc/group.adj"]="644"
["/etc/security/passwd"]="600"
)
for file in "${!files[@]}"; do
check_file_perm "$file" "${files[$file]}"
done
# World-writable files & directories (AIX-compatible)
ww_files=$(find / -type f -perm -2 -exec ls -ld {} \; 2>/dev/null | grep -vE "^/proc|^/dev")
ww_dirs=$(find / -type d -perm -2 -exec ls -ld {} \; 2>/dev/null | grep -vE "^/proc|^/dev")
[ -z "$ww_files" ] && log_pass "No world-writable files" || { echo "$ww_files"; log_fail "World-writable files found"; }
[ -z "$ww_dirs" ] && log_pass "No world-writable directories" || { echo "$ww_dirs"; log_fail "World-writable directories found"; }
log_manual "Review SUID/SGID files: find / -type f \\( -perm -4000 -o -perm -2000 \\) -exec ls -l {} \\;"
# Check home directories exist
awk -F: '($7!="/usr/bin/nologin" && $7!="/usr/sbin/nologin") {print $1":"$6}' /etc/passwd | while IFS=: read user dir; do
[ -d "$dir" ] && log_pass "Home directory exists for $user" || log_fail "Home directory missing for $user"
done
echo -e "${YELLOW}==== CIS IBM AIX Compliance Check Complete ====${NC}" | tee -a $REPORT
echo -e "${GREEN}PASS: $PASS${NC} | ${RED}FAIL: $FAIL${NC} | ${YELLOW}MANUAL: $MANUAL${NC}" | tee -a $REPORT
Conclusion:
This script provides a baseline CIS compliance assessment for IBM AIX systems, helping administrators quickly identify security gaps and prioritize remediation.
No comments:
Post a Comment