#!/bin/sh 

# CentOS CWIE Security changes - common

# Security requests we hard-code these to our local repo
sed -r -i -e 's/^mirrorlist/#mirrorlist/' /etc/yum.repos.d/CentOS-Base.repo
sed -r -i -e 's/^#baseurl/baseurl/' /etc/yum.repos.d/CentOS-Base.repo
sed -r -i -e 's/mirror.centos.org/centos-distro.cavecreek.net/' /etc/yum.repos.d/CentOS-Base.repo

yum -y erase acpid anacron atk Bluez-libss ccid ccid cups* desktop-file-utils dhcpv6-client dosfstools ed eject finger fontconfig gpm ipsec-tools iptables-ipv6 irda* ksh lftp liblCE liblDL libX* mesa* mkbootdisk nano nc nfs-utils pango pcmciautils ppp rdate rdist tcsh proftpd proftpd-mysql stress autofs ypbind yptools conman nfs-utils-lib nmap ftp talk tree screen curl dhclient dos2unix tcpdump rpmforge

yum -y install --disablerepo=centosplus aide kernel-PAE
yum -y update --disablerepo=centosplus kernel-headers
sed -r -i -e 's/^default=[0-9]/default=0/' /boot/grub/menu.lst
rpm -e --allmatches kernel

chkconfig netfs off
chkconfig nfslock off 
chkconfig sendmail off
chkconfig gpm off
chkconfig apmd off
chkconfig firstboot off
chkconfig mcstrans off
chkconfig mdmonitor off
chkconfig pcscd off
chkconfig smartd off
chkconfig messagebus off
chkconfig haldaemon off
chkconfig acpid off
chkconfig rpcidmapd off
chkconfig rpcgssd off
chkconfig portmap off
chkconfig ip6tables off

cd /usr/src
wget http://192.168.200.2/post/c5-security/aide.conf
mv -f aide.conf /etc/
# These are now done in the -web and -db scripts, so they happen at the end
#/usr/sbin/aide --init
#cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
echo "05 4 * * * root /usr/sbin/aide --check" >> /var/spool/cron/root

wget ftp://ftp.pbone.net/mirror/centos.karan.org/el5/extras/testing/i386/RPMS/eventlog-0.2.5-6.el5.kb.i386.rpm
wget ftp://ftp.pbone.net/mirror/ftp.silfreed.net/repo/rhel/5/i386/silfreednet/RPMS/syslog-ng-2.0.9-1.el5.i386.rpm
rpm -e --nodeps sysklogd
rpm -ivh eventlog-0.2.5-6.el5.kb.i386.rpm
rpm -ivh syslog-ng-2.0.9-1.el5.i386.rpm
/sbin/chkconfig syslog-ng --level 3 on

/usr/sbin/ntpdate pool.ntp.org
/sbin/chkconfig ntpd --level 2345 on
sed -r -i -e '/^server 0.centos.pool.ntp.org/d' \
          -e '/^server 1.centos.pool.ntp.org/d' \
          -e 's/^server 2.centos.pool.ntp.org/server ns1.cwie.net/' \
/etc/ntp.conf


cat > /etc/profile.d/tmout.sh <<EOF
TMOUT=900
readonly TMOUT
export TMOUT
EOF
chmod 755 /etc/profile.d/tmout.sh