2016-04-01 09:32:17 +02:00
|
|
|
# CIS Debian 7 Hardening Utility functions
|
|
|
|
|
2016-04-07 07:46:44 +02:00
|
|
|
#
|
|
|
|
# Service Boot Checks
|
|
|
|
#
|
|
|
|
|
|
|
|
is_service_enabled() {
|
|
|
|
local SERVICE=$1
|
|
|
|
if [ $(find /etc/rc?.d/ -name "S*$SERVICE" -print | wc -l) -gt 0 ]; then
|
|
|
|
debug "Service $SERVICE is enabled"
|
|
|
|
FNRET=0
|
|
|
|
else
|
|
|
|
debug "Service $SERVICE is disabled"
|
|
|
|
FNRET=1
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2016-04-01 09:32:17 +02:00
|
|
|
|
2016-04-07 06:56:14 +02:00
|
|
|
#
|
|
|
|
# Kernel Options checks
|
|
|
|
#
|
2016-04-01 09:32:17 +02:00
|
|
|
|
2016-04-07 06:56:14 +02:00
|
|
|
is_kernel_option_enabled() {
|
|
|
|
local KERNEL_OPTION=$1
|
2016-04-07 07:22:04 +02:00
|
|
|
RESULT=$(zgrep -i $KERNEL_OPTION /proc/config.gz | grep -vE "^#") || :
|
2016-04-07 06:56:14 +02:00
|
|
|
ANSWER=$(cut -d = -f 2 <<< $RESULT)
|
|
|
|
if [ "x$ANSWER" = "xy" ]; then
|
2016-04-07 07:22:04 +02:00
|
|
|
debug "Kernel option $KERNEL_OPTION enabled"
|
2016-04-07 06:56:14 +02:00
|
|
|
FNRET=0
|
2016-04-07 07:22:04 +02:00
|
|
|
elif [ "x$ANSWER" = "xn" ]; then
|
|
|
|
debug "Kernel option $KERNEL_OPTION disabled"
|
2016-04-07 06:56:14 +02:00
|
|
|
FNRET=1
|
2016-04-07 07:22:04 +02:00
|
|
|
else
|
|
|
|
debug "Kernel option $KERNEL_OPTION not found"
|
|
|
|
FNRET=2 # Not found
|
2016-04-07 06:56:14 +02:00
|
|
|
fi
|
|
|
|
}
|
2016-04-04 15:05:10 +02:00
|
|
|
|
2016-04-01 09:32:17 +02:00
|
|
|
#
|
2016-04-04 15:05:10 +02:00
|
|
|
# Mounting point manipulation
|
2016-04-01 09:32:17 +02:00
|
|
|
#
|
|
|
|
|
2016-04-04 15:05:10 +02:00
|
|
|
# Verify $1 is a partition declared in fstab
|
2016-04-04 13:32:58 +02:00
|
|
|
is_a_partition() {
|
|
|
|
|
|
|
|
local PARTITION_NAME=$1
|
|
|
|
FNRET=128
|
|
|
|
if $(grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"); then
|
2016-04-04 15:05:10 +02:00
|
|
|
debug "$PARTITION found in fstab"
|
2016-04-04 13:32:58 +02:00
|
|
|
FNRET=0
|
|
|
|
else
|
2016-04-04 15:05:10 +02:00
|
|
|
debug "Unable to find $PARTITION in fstab"
|
2016-04-04 13:32:58 +02:00
|
|
|
FNRET=1
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2016-04-04 15:05:10 +02:00
|
|
|
# Verify that $1 is mounted at runtime
|
2016-04-04 13:32:58 +02:00
|
|
|
is_mounted() {
|
|
|
|
local PARTITION_NAME=$1
|
|
|
|
if $(grep -q "[[:space:]]$1[[:space:]]" /proc/mounts); then
|
2016-04-04 15:05:10 +02:00
|
|
|
debug "$PARTITION found in /proc/mounts, it's mounted"
|
|
|
|
FNRET=0
|
|
|
|
else
|
|
|
|
debug "Unable to find $PARTITION in /proc/mounts"
|
|
|
|
FNRET=1
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
# Verify $1 has the proper option $2 in fstab
|
|
|
|
has_mount_option() {
|
|
|
|
local PARTITION=$1
|
|
|
|
local OPTION=$2
|
|
|
|
if $(grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $4'} | grep -q "$2"); then
|
|
|
|
debug "$OPTION has been detected in fstab for partition $PARTITION"
|
|
|
|
FNRET=0
|
|
|
|
else
|
|
|
|
debug "Unable to find $OPTION in fstab for partition $PARTITION"
|
|
|
|
FNRET=1
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
# Verify $1 has the proper option $2 at runtime
|
|
|
|
has_mounted_option() {
|
|
|
|
local PARTITION=$1
|
|
|
|
local OPTION=$2
|
|
|
|
if $(grep "[[:space:]]$1[[:space:]]" /proc/mounts | awk {'print $4'} | grep -q "$2"); then
|
|
|
|
debug "$OPTION has been detected in /proc/mounts for partition $PARTITION"
|
2016-04-04 13:32:58 +02:00
|
|
|
FNRET=0
|
|
|
|
else
|
2016-04-04 15:05:10 +02:00
|
|
|
debug "Unable to find $OPTION in /proc/mounts for partition $PARTITION"
|
2016-04-04 13:32:58 +02:00
|
|
|
FNRET=1
|
|
|
|
fi
|
|
|
|
}
|
2016-04-01 09:32:17 +02:00
|
|
|
|
2016-04-04 15:05:10 +02:00
|
|
|
# Setup mount option in fstab
|
|
|
|
add_option_to_fstab() {
|
|
|
|
local PARTITION=$1
|
|
|
|
local OPTION=$2
|
|
|
|
debug "Setting $OPTION for $PARTITION in fstab"
|
|
|
|
backup_file "/etc/fstab"
|
|
|
|
# For example :
|
|
|
|
# /dev/sda9 /home ext4 auto,acl,errors=remount-ro 0 2
|
|
|
|
# /dev/sda9 /home ext4 auto,acl,errors=remount-ro,nodev 0 2
|
|
|
|
debug "Sed command : sed -ie \"s;\(.*\)\(\s*\)\s\($PARTITION\)\s\(\s*\)\(\w*\)\(\s*\)\(\w*\)*;\1\2 \3 \4\5\6\7,$OPTION;\" /etc/fstab"
|
|
|
|
sed -ie "s;\(.*\)\(\s*\)\s\($PARTITION\)\s\(\s*\)\(\w*\)\(\s*\)\(\w*\)*;\1\2 \3 \4\5\6\7,$OPTION;" /etc/fstab
|
|
|
|
}
|
|
|
|
|
|
|
|
remount_partition() {
|
|
|
|
local PARTITION=$1
|
|
|
|
debug "Remounting $PARTITION"
|
|
|
|
mount -o remount $PARTITION
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Helper functions to work with apt
|
|
|
|
#
|
2016-04-04 11:23:03 +02:00
|
|
|
|
|
|
|
apt_update_if_needed()
|
|
|
|
{
|
|
|
|
if [ -e /var/cache/apt/pkgcache.bin ]
|
|
|
|
then
|
|
|
|
UPDATE_AGE=$(( $(date +%s) - $(stat -c '%Y' /var/cache/apt/pkgcache.bin) ))
|
|
|
|
|
|
|
|
if [ $UPDATE_AGE -gt 21600 ]
|
|
|
|
then
|
|
|
|
# update too old, refresh database
|
|
|
|
apt-get update -y >/dev/null 2>/dev/null
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
apt-get update -y >/dev/null 2>/dev/null
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
apt_check_updates()
|
|
|
|
{
|
|
|
|
local NAME="$1"
|
|
|
|
local DETAILS="/dev/shm/${NAME}"
|
2016-04-04 15:05:10 +02:00
|
|
|
apt-get upgrade -s 2>/dev/null | grep -E "^Inst" > $DETAILS || :
|
2016-04-04 11:23:03 +02:00
|
|
|
local COUNT=$(wc -l < "$DETAILS")
|
|
|
|
FNRET=128 # Unknown function return result
|
|
|
|
RESULT="" # Result output for upgrade
|
|
|
|
if [ $COUNT -gt 0 ]; then
|
|
|
|
RESULT="There is $COUNT updates available :\n$(cat $DETAILS)"
|
|
|
|
FNRET=1
|
|
|
|
else
|
|
|
|
RESULT="OK, no updates available"
|
|
|
|
FNRET=0
|
|
|
|
fi
|
|
|
|
rm $DETAILS
|
|
|
|
}
|
2016-04-04 15:05:10 +02:00
|
|
|
|
|
|
|
#
|
|
|
|
# Returns if a package is installed
|
|
|
|
#
|
|
|
|
|
|
|
|
is_installed()
|
|
|
|
{
|
|
|
|
PKG_NAME=$1
|
|
|
|
if `dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install '` ; then
|
|
|
|
FNRET=0
|
|
|
|
fi
|
|
|
|
FNRET=1
|
|
|
|
}
|