2016-04-18 11:16:05 +02:00
#!/bin/bash
#
2017-03-10 17:46:39 +01:00
# CIS Debian 7/8 Hardening /!\ Not in the Guide
2016-04-18 11:16:05 +02:00
#
#
# 99.2 Disable USB Devices
#
set -e # One error, it's over
set -u # One variable unset, it's over
USER = 'root'
PATTERN = 'ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' # We do test disabled by default, whitelist is up to you
FILES_TO_SEARCH = '/etc/udev/rules.d/*'
FILE = '/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh'
# This function will be called if the script status is on enabled / audit mode
audit ( ) {
2016-04-25 15:15:49 +02:00
does_pattern_exist_in_file " $FILES_TO_SEARCH " " ^ $PATTERN "
2016-04-18 11:16:05 +02:00
if [ $FNRET != 0 ] ; then
2016-04-25 15:15:49 +02:00
crit " $PATTERN is not present in $FILES_TO_SEARCH "
2016-04-18 11:16:05 +02:00
else
2016-04-25 15:15:49 +02:00
ok " $PATTERN is present in $FILES_TO_SEARCH "
2016-04-18 11:16:05 +02:00
fi
}
# This function will be called if the script status is on enabled mode
apply ( ) {
2016-04-25 15:15:49 +02:00
does_pattern_exist_in_file " $FILES_TO_SEARCH " " ^ $PATTERN "
2016-04-18 11:16:05 +02:00
if [ $FNRET != 0 ] ; then
2016-04-25 15:15:49 +02:00
warn " $PATTERN is not present in $FILES_TO_SEARCH "
2016-04-18 11:16:05 +02:00
touch $FILE
chmod 644 $FILE
add_end_of_file $FILE '
# By default, disable all.
ACTION = = "add" , SUBSYSTEMS = = "usb" , TEST = = "authorized_default" , ATTR{ authorized_default} = "0"
# Enable hub devices.
ACTION = = "add" , ATTR{ bDeviceClass} = = "09" , TEST = = "authorized" , ATTR{ authorized} = "1"
# Enables keyboard devices
ACTION = = "add" , ATTR{ product} = = "*[Kk]eyboard*" , TEST = = "authorized" , ATTR{ authorized} = "1"
# PS2-USB converter
ACTION = = "add" , ATTR{ product} = = "*Thinnet TM*" , TEST = = "authorized" , ATTR{ authorized} = "1"
'
else
2016-04-25 15:15:49 +02:00
ok " $PATTERN is present in $FILES_TO_SEARCH "
2016-04-18 11:16:05 +02:00
fi
}
# This function will check config parameters required
check_config( ) {
:
}
# Source Root Dir Parameter
2016-04-18 17:39:14 +02:00
if [ ! -r /etc/default/cis-hardening ] ; then
echo "There is no /etc/default/cis-hardening file, cannot source CIS_ROOT_DIR variable, aborting"
2016-04-18 11:16:05 +02:00
exit 128
else
2016-04-18 17:39:14 +02:00
. /etc/default/cis-hardening
2016-04-21 23:19:50 +02:00
if [ -z ${ CIS_ROOT_DIR :- } ] ; then
2016-04-18 11:16:05 +02:00
echo "No CIS_ROOT_DIR variable, aborting"
2016-04-20 11:29:44 +02:00
exit 128
2016-04-18 11:16:05 +02:00
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
2016-04-21 23:19:50 +02:00
if [ -r $CIS_ROOT_DIR /lib/main.sh ] ; then
. $CIS_ROOT_DIR /lib/main.sh
else
echo " Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening "
exit 128
fi