Perl script to update FISMA compliant kernel paramaters
#!/usr/bin/perl -w
use strict;
use strict;
# Make timestamped backup for sysctl.conf and limits.conf
my $timestamp = `date +%Y%m%d%H%M`;
system("cp /etc/sysctl.conf /etc/sysctl.conf.$timestamp");
my $drpf = '1';
my $arpf = '1';
my $dasr = '0';
my $tmsb = '4096';
my $aasr = '0';
my $dar = '0';
my $aar = '0';
my $dsr = '0';
my $asr = '0';
my $ieib = '0';
my $dser = '0';
my $aser = '0';
my $tsyn = '1';
my $arpf = '1';
my $dasr = '0';
my $tmsb = '4096';
my $aasr = '0';
my $dar = '0';
my $aar = '0';
my $dsr = '0';
my $asr = '0';
my $ieib = '0';
my $dser = '0';
my $aser = '0';
my $tsyn = '1';
# Write out sysctl.conf
open OUTP, '>/etc/sysctl.conf.fisma' or die "Cannot write /etc/sysctl.conf.fisma: $!";
open SYSCTL, '/etc/sysctl.conf' or die "Cannot read sysctl.conf: $!";
while (my $line = <SYSCTL>) {
chomp $line;
next if $line =~ /^net\.ipv4\.conf\.default\.rp_filter/;
next if $line =~ /^net\.ipv4\.conf\.all\.rp_filter/;
next if $line =~ /^net\.ipv4\.conf\.default\.accept_source_route/;
next if $line =~ /^net\.ipv4\.tcp_max_syn_backlog/;
next if $line =~ /^net\.ipv4\.conf\.all\.accept_source_route/;
next if $line =~ /^net\.ipv4\.conf\.default\.accept_redirects/;
next if $line =~ /^net\.ipv4\.conf\.all\.accept_redirects/;
next if $line =~ /^net\.ipv4\.conf\.default\.secure_redirects/;
next if $line =~ /^net\.ipv4\.conf\.all\.secure_redirects/;
next if $line =~ /^net\.ipv4\.icmp_echo_ignore_broadcasts/;
next if $line =~ /^net\.ipv4\.conf\.default\.send_redirects/;
open OUTP, '>/etc/sysctl.conf.fisma' or die "Cannot write /etc/sysctl.conf.fisma: $!";
open SYSCTL, '/etc/sysctl.conf' or die "Cannot read sysctl.conf: $!";
while (my $line = <SYSCTL>) {
chomp $line;
next if $line =~ /^net\.ipv4\.conf\.default\.rp_filter/;
next if $line =~ /^net\.ipv4\.conf\.all\.rp_filter/;
next if $line =~ /^net\.ipv4\.conf\.default\.accept_source_route/;
next if $line =~ /^net\.ipv4\.tcp_max_syn_backlog/;
next if $line =~ /^net\.ipv4\.conf\.all\.accept_source_route/;
next if $line =~ /^net\.ipv4\.conf\.default\.accept_redirects/;
next if $line =~ /^net\.ipv4\.conf\.all\.accept_redirects/;
next if $line =~ /^net\.ipv4\.conf\.default\.secure_redirects/;
next if $line =~ /^net\.ipv4\.conf\.all\.secure_redirects/;
next if $line =~ /^net\.ipv4\.icmp_echo_ignore_broadcasts/;
next if $line =~ /^net\.ipv4\.conf\.default\.send_redirects/;
next if $line =~ /^net\.ipv4\.conf\.all\.send_redirects/;
next if $line =~ /^net\.ipv4\.tcp_syncookies/;
next if $line =~ /^net\.ipv4\.tcp_syncookies/;
print OUTP "$line\n";
}
close SYSCTL;
print OUTP "net.ipv4.conf.default.rp_filter = $drpf\n";
print OUTP "net.ipv4.conf.all.rp_filter = $arpf\n";
print OUTP "net.ipv4.conf.default.accept_source_route = $dasr\n";
print OUTP "net.ipv4.tcp_max_syn_backlog = $tmsb\n";
print OUTP "net.ipv4.conf.all.accept_source_route = $aasr\n";
print OUTP "net.ipv4.conf.default.accept_redirects = $dar\n";
print OUTP "net.ipv4.conf.all.accept_redirects = $aar\n";
print OUTP "net.ipv4.conf.default.secure_redirects = $dsr\n";
print OUTP "net.ipv4.conf.all.secure_redirects = $asr\n";
print OUTP "net.ipv4.icmp_echo_ignore_broadcasts = $ieib\n";
print OUTP "net.ipv4.conf.default.send_redirects = $dser\n";
print OUTP "net.ipv4.conf.all.send_redirects = $aser\n";
print OUTP "net.ipv4.tcp_syncookies = $tsyn\n";
print OUTP "net.ipv4.conf.all.rp_filter = $arpf\n";
print OUTP "net.ipv4.conf.default.accept_source_route = $dasr\n";
print OUTP "net.ipv4.tcp_max_syn_backlog = $tmsb\n";
print OUTP "net.ipv4.conf.all.accept_source_route = $aasr\n";
print OUTP "net.ipv4.conf.default.accept_redirects = $dar\n";
print OUTP "net.ipv4.conf.all.accept_redirects = $aar\n";
print OUTP "net.ipv4.conf.default.secure_redirects = $dsr\n";
print OUTP "net.ipv4.conf.all.secure_redirects = $asr\n";
print OUTP "net.ipv4.icmp_echo_ignore_broadcasts = $ieib\n";
print OUTP "net.ipv4.conf.default.send_redirects = $dser\n";
print OUTP "net.ipv4.conf.all.send_redirects = $aser\n";
print OUTP "net.ipv4.tcp_syncookies = $tsyn\n";
close OUTP;
# Write new file back to active config file
system("mv /etc/sysctl.conf.fisma /etc/sysctl.conf");
system("mv /etc/sysctl.conf.fisma /etc/sysctl.conf");
No comments:
Post a Comment