#!/bin/bash
##Created by Steve Hajek @ LiquidwareLabs - Updated 7/30/2015
echo "Setting login banner, report header and UI footer..."
cat << EOF > /etc/issue
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests- -not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
EOF
/opt/tnt/bin/tntdbconf LOGIN_BANNER /etc/issue
/opt/tnt/bin/tntdbconf CUSTOM_HEADER 'Unclassified:\ For\ Official\ Use\ Only'
/opt/tnt/bin/tntdbconf CUSTOM_FOOTER 'Unclassified:\ For\ Official\ Use\ Only'

###RC4 Cipher Removal - Added 8/12/2015
echo "Removing RC4 Cipher from Tomcat and Apache..."
sed -i 's/ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:!MD5:!aNULL:!EDH/HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4/' /etc/lwl/httpd/httpd.conf
/sbin/service httpd restart
debug=0
retCode=0
interactive=0
# Default log file output
tfile=$0
noext=${tfile%.sh}
logfile="/home/friend/"${noext##*/}".log"

function log()
{
	if [ $# -eq 1 ]; then
		echo $(date +"%D %r"): $1 >> $logfile
		echo $(date +"%D %r"): $1
	fi
	if [ $# -eq 2 ]; then
		echo $1 >> $logfile
		echo $1
	fi
	return
}

function usage()
{
	echo "$0 [options]"
	echo " Options:"
	echo " [ -d | --debug] Enable debug mode"
	echo " [ -l | --logfile <path/file>]"
	echo " Log file path. Default=$logfile"
	echo " [ -h | --help | -?] Help on script usage with options."
}

log "Verifying if you are logged in as root..."
if [ $(id -u) != "0" ]; then
	log "Error: You must be logged in as root to run this script."
	exit 10
fi

if [ $# -eq 0 ]; then
	interactive=1
else 
	# Process command line arguments
	while [ "$1" != "" ]; do
		case $1 in
			-d | --debug )			shift
									set -x
									debug=1
									;;
			-l | --logfile )		shift
									logfile=$1
									;;
			-h | --help | -?)       usage
									exit 0
									;;
			* )                     usage
									exit 0
		esac
		shift
	done

fi

# Change to the folder
log "Changing to relevant folder..."
cd /var/lib/jakarta-tomcat/default/conf
retCode=$?
if [ $retCode -ne 0 ]; then
	log "Error: Changing to relevant folder..."
	exit 20
fi

# Backup file for safety
log "Create backup file for server-imanager.xml..."
cp server-imanager.xml server-imanager.xml.save
retCode=$?
if [ $retCode -ne 0 ]; then
	log "Error: Create backup file for server-imanager.xml..."
	exit 30
fi

# Remove the pattern
log "Removing the cipher from the file..."
sed -i 's/SSL_RSA_WITH_RC4_128_SHA,//g' server-imanager.xml
retCode=$?
if [ $retCode -ne 0 ]; then
	log "Error: Removing the cipher from the file..."
	exit 40
fi

# Restart Web Services
log "Restarting web services. Please wait..."
/sbin/sv force-restart tnt-backend
retCode=$?
if [ $retCode -ne 0 ]; then
	log "Error: Restarting web services..."
	exit 40
fi

log "Done."
###RC4 Cipher Removal END

###BEGIN Additions - 8/10/2015
echo "Setting secure permissions on logs and updating system files..."
chmod 640 /var/log/rpmpkg*
sed -i 's/\/bin\/chmod 0644 \/var\/log\/rpmpkgs/\/bin\/chmod 0640 \/var\/log\/rpmpkgs/' /etc/cron.daily/rpm
chmod -x /var/log/pgsql
echo "umask 0027" >>/etc/sysconfig/sysstat
chmod 640 /var/log/sa/*
/sbin/service sysstat restart
chmod 640 /var/log/sa/*
chmod 600 /etc/cron.deny
chmod 644 /etc/profile.d/*
chmod 640 /etc/ntp.conf
echo "maxpoll 10" >>/etc/ntp.conf
/sbin/service ntpd restart
/usr/sbin/authconfig --passalgo=sha512 --update
sed -i 's/crypt_style = md5/crypt_style = sha512/' /etc/libuser.conf
sed -i 's/MD5_CRYPT_ENAB no/MD5_CRYPT_ENAB yes/' /etc/login.defs
sed -i 's/NETWORKING_IPV6=yes/NETWORKING_IPV6=no/' /etc/sysconfig/network
echo "install ipv6 /bin/true" >>/etc/modprobe.conf
/sbin/depmod
echo "IPV6INIT=no" >>/etc/sysconfig/network-scripts/ifcfg-lo
sed -i 's/IPV6INIT=yes/IPV6INIT=no/' /etc/sysconfig/network-scripts/ifcfg-eth0
/sbin/service network restart
echo -n "Do you want to set a remote syslog server now? (Y/N) "      
        read choice
        if [ "$choice" == "y" ] || [ "$choice" == "Y" ]; then
                echo -n "Enter remote syslog server name or IP (Use servernameOrIp:port if using non-standard port.): "
				read server
				echo "*.* @"$server >>/etc/rsyslog.conf
        fi
rm -f /var/lib/jakarta-tomcat/default/work/ssCenter/localhost/vscenter/org/apache/jsp/index_jsp.java
###END Additions - 8/10/2015

echo "Setting password complexity and expirations for all local accounts..."
rm -f /etc/pam.d/system-auth
ln -sf /etc/pam.d/system-auth-lwl-rhel /etc/pam.d/system-auth
touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 0600 /etc/security/opasswd
grep -E '^\w+\:\$' /etc/shadow | cut -d: -f 1 | while read user; do passwd -x 60 -n 1 $user; done

echo "Removing tcpdump, wireshark and tnt-cap..."
rpm -e tcpdump wireshark tnt-cap

echo "Stopping and disabling kdump..."
/sbin/service kdump stop
/sbin/chkconfig kdump off

echo "Enabling auditd daemon and setting daily log rotation..."
/sbin/service auditd start
/sbin/chkconfig auditd on
sed -i -e 's/endscript/endscript\n\tdaily/' /etc/logrotate.d/syslog
kill -HUP `cat /var/run/syslogd.pid 2> /dev/null`
kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null`

echo "All changes complete.  Please wait at least 2 minutes for the UI to start responding again."
echo "While waiting for the webUI to begin responding, you can now change the passwords for the ssconsole, friend and root users so they have complex passwords going forward."
for user in ssconsole friend root; do
        echo -n "Change password for $user? (Y/N) "      
        read choice
        if [ "$choice" == "y" ] || [ "$choice" == "Y" ]; then
                passwd $user
        fi
done
echo "Done."
echo -n "A reboot is required for some changes to take effect, reboot now? (Y/N) "
        read choice
        if [ "$choice" == "y" ] || [ "$choice" == "Y" ]; then
			/usr/bin/reboot
        fi
