2016-04-18 11:16:05 +02:00
#!/bin/bash
2020-11-23 17:10:37 +01:00
# run-shellcheck
2016-04-18 11:16:05 +02:00
#
2020-12-22 16:36:35 +01:00
# CIS Debian Hardening Bonus Check
2016-04-18 11:16:05 +02:00
#
#
2020-12-22 16:36:35 +01:00
# 99.1.1.23 Disable USB Devices
2016-04-18 11:16:05 +02:00
#
set -e # One error, it's over
set -u # One variable unset, it's over
USER = 'root'
2020-11-27 09:18:00 +01:00
# shellcheck disable=2034
2017-10-31 17:44:15 +01:00
DESCRIPTION = "USB devices are disabled."
2016-04-18 11:16:05 +02:00
PATTERN = 'ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' # We do test disabled by default, whitelist is up to you
2017-06-13 15:36:06 +02:00
FILES_TO_SEARCH = '/etc/udev/rules.d'
2016-04-18 11:16:05 +02:00
FILE = '/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh'
# This function will be called if the script status is on enabled / audit mode
2020-12-04 14:08:01 +01:00
audit( ) {
2017-06-13 15:36:06 +02:00
SEARCH_RES = 0
for FILE_SEARCHED in $FILES_TO_SEARCH ; do
2020-12-10 09:50:33 +01:00
if [ " $SEARCH_RES " = 1 ] ; then break; fi
if $SUDO_CMD test -d " $FILE_SEARCHED " ; then
2017-06-13 15:36:06 +02:00
debug " $FILE_SEARCHED is a directory "
2020-12-04 14:08:01 +01:00
for file_in_dir in $( $SUDO_CMD ls $FILE_SEARCHED ) ; do
2017-06-13 15:36:06 +02:00
does_pattern_exist_in_file " $FILE_SEARCHED / $file_in_dir " " ^ $PATTERN "
2020-11-27 09:29:11 +01:00
if [ " $FNRET " != 0 ] ; then
2017-06-13 15:36:06 +02:00
debug " $PATTERN is not present in $FILE_SEARCHED / $file_in_dir "
else
ok " $PATTERN is present in $FILE_SEARCHED / $file_in_dir "
SEARCH_RES = 1
break
fi
done
else
does_pattern_exist_in_file " $FILE_SEARCHED " " ^ $PATTERN "
2020-11-27 09:29:11 +01:00
if [ " $FNRET " != 0 ] ; then
2017-06-13 15:36:06 +02:00
debug " $PATTERN is not present in $FILE_SEARCHED "
else
ok " $PATTERN is present in $FILES_TO_SEARCH "
SEARCH_RES = 1
fi
fi
done
2020-12-04 15:04:22 +01:00
if [ " $SEARCH_RES " = 0 ] ; then
2016-04-25 15:15:49 +02:00
crit " $PATTERN is not present in $FILES_TO_SEARCH "
2016-04-18 11:16:05 +02:00
fi
}
# This function will be called if the script status is on enabled mode
2020-12-04 14:08:01 +01:00
apply( ) {
2017-06-13 15:36:06 +02:00
SEARCH_RES = 0
for FILE_SEARCHED in $FILES_TO_SEARCH ; do
2020-12-10 09:50:33 +01:00
if [ " $SEARCH_RES " = 1 ] ; then break; fi
if test -d " $FILE_SEARCHED " ; then
2017-06-13 15:36:06 +02:00
debug " $FILE_SEARCHED is a directory "
2020-12-14 16:14:37 +01:00
2020-12-14 14:45:38 +01:00
for file_in_dir in " $FILE_SEARCHED " /*; do
2020-12-14 16:14:37 +01:00
[ [ -e " $file_in_dir " ] ] || break # handle the case of no file in dir
2020-12-14 14:45:38 +01:00
does_pattern_exist_in_file " $file_in_dir " " ^ $PATTERN "
2020-11-27 09:29:11 +01:00
if [ " $FNRET " != 0 ] ; then
2020-12-14 14:45:38 +01:00
debug " $PATTERN is not present in $file_in_dir "
2017-06-13 15:36:06 +02:00
else
2020-12-14 14:45:38 +01:00
ok " $PATTERN is present in $file_in_dir "
2017-06-13 15:36:06 +02:00
SEARCH_RES = 1
break
fi
done
else
does_pattern_exist_in_file " $FILE_SEARCHED " " ^ $PATTERN "
2020-11-27 09:29:11 +01:00
if [ " $FNRET " != 0 ] ; then
2017-06-13 15:36:06 +02:00
debug " $PATTERN is not present in $FILE_SEARCHED "
else
ok " $PATTERN is present in $FILES_TO_SEARCH "
SEARCH_RES = 1
fi
fi
done
2020-12-04 15:04:22 +01:00
if [ " $SEARCH_RES " = 0 ] ; then
2016-04-25 15:15:49 +02:00
warn " $PATTERN is not present in $FILES_TO_SEARCH "
2020-12-04 15:04:22 +01:00
touch " $FILE "
chmod 644 " $FILE "
2020-12-10 09:50:33 +01:00
add_end_of_file " $FILE " '
2016-04-18 11:16:05 +02:00
# By default, disable all.
ACTION = = "add" , SUBSYSTEMS = = "usb" , TEST = = "authorized_default" , ATTR{ authorized_default} = "0"
# Enable hub devices.
ACTION = = "add" , ATTR{ bDeviceClass} = = "09" , TEST = = "authorized" , ATTR{ authorized} = "1"
# Enables keyboard devices
ACTION = = "add" , ATTR{ product} = = "*[Kk]eyboard*" , TEST = = "authorized" , ATTR{ authorized} = "1"
# PS2-USB converter
ACTION = = "add" , ATTR{ product} = = "*Thinnet TM*" , TEST = = "authorized" , ATTR{ authorized} = "1"
'
fi
}
# This function will check config parameters required
check_config( ) {
:
}
# Source Root Dir Parameter
2017-10-25 14:50:39 +02:00
if [ -r /etc/default/cis-hardening ] ; then
2020-12-04 14:08:01 +01:00
# shellcheck source=../../debian/default
2016-04-18 17:39:14 +02:00
. /etc/default/cis-hardening
2017-10-25 14:50:39 +02:00
fi
if [ -z " $CIS_ROOT_DIR " ] ; then
2020-12-04 14:08:01 +01:00
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
2017-10-25 14:50:39 +02:00
exit 128
2017-06-13 15:36:06 +02:00
fi
2016-04-18 11:16:05 +02:00
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
2020-11-27 09:29:11 +01:00
if [ -r " $CIS_ROOT_DIR " /lib/main.sh ] ; then
2020-12-07 13:54:57 +01:00
# shellcheck source=../../lib/main.sh
2020-11-27 09:29:11 +01:00
. " $CIS_ROOT_DIR " /lib/main.sh
2016-04-21 23:19:50 +02:00
else
echo " Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening "
exit 128
fi