debian-cis/bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh

#!/bin/bash

# run-shellcheck
#
# CIS Debian Hardening
#

#
# 5.2.8 Set SSH IgnoreRhosts to Yes (Scored)
#

set -e # One error, it's over
set -u # One variable unset, it's over

# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Set SSH IgnoreRhosts to Yes."

PACKAGE='openssh-server'
OPTIONS=''
FILE='/etc/ssh/sshd_config'

# This function will be called if the script status is on enabled / audit mode
audit () {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
        ok "$PACKAGE is installed"
        for SSH_OPTION in $OPTIONS; do
            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
                crit "$PATTERN is not present in $FILE"
            fi
        done
    fi
}

# This function will be called if the script status is on enabled mode
apply () {
    is_pkg_installed "$PACKAGE"
    if [ "$FNRET" = 0 ]; then
        ok "$PACKAGE is installed"
    else
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
    for SSH_OPTION in $OPTIONS; do
            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
            does_pattern_exist_in_file $FILE "$PATTERN"
            if [ "$FNRET" = 0 ]; then
                ok "$PATTERN is present in $FILE"
            else
                warn "$PATTERN is not present in $FILE, adding it"
                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
                if [ "$FNRET" != 0 ]; then
                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
                else
                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
                fi
                /etc/init.d/ssh reload
            fi
    done
}

# This function will check config parameters required
check_config() {
    :
}

create_config() {
    cat << EOF
# shellcheck disable=2034
status=audit
# Put here the rhosts boolean for ssh
OPTIONS='IgnoreRhosts=yes'
EOF
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
    . /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
     echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
fi

# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
fi
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00			`#!/bin/bash`

IMP(shellcheck): add run-shellcheck prefix 2020-11-23 17:10:37 +01:00			`# run-shellcheck`
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00			`#`
Update debian 7/8/9 in help files and remove in generic scripts 2019-02-06 15:19:14 +01:00			`# CIS Debian Hardening`
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00			`#`

			`#`
Renum ssh config check 9.3.x to 5.2.x Also renum 99.x checks that were included in CIS recommendations renamed: bin/hardening/9.3.8_disable_root_login.sh -> bin/hardening/5.2.10_disable_root_login.sh renamed: bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh -> bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh renamed: bin/hardening/9.3.10_disable_sshd_setenv.sh -> bin/hardening/5.2.12_disable_sshd_setenv.sh renamed: bin/hardening/9.3.11_sshd_ciphers.sh -> bin/hardening/5.2.13_sshd_ciphers.sh renamed: bin/hardening/99.5.2.2_ssh_cry_mac.sh -> bin/hardening/5.2.14_ssh_cry_mac.sh renamed: bin/hardening/99.5.2.1_ssh_cry_kex.sh -> bin/hardening/5.2.15_ssh_cry_kex.sh renamed: bin/hardening/9.3.12_sshd_idle_timeout.sh -> bin/hardening/5.2.16_sshd_idle_timeout.sh renamed: bin/hardening/9.3.13_sshd_limit_access.sh -> bin/hardening/5.2.18_sshd_limit_access.sh renamed: bin/hardening/9.3.14_ssh_banner.sh -> bin/hardening/5.2.19_ssh_banner.sh renamed: bin/hardening/9.3.3_sshd_conf_perm_ownership.sh -> bin/hardening/5.2.1_sshd_conf_perm_ownership.sh renamed: bin/hardening/9.3.1_sshd_protocol.sh -> bin/hardening/5.2.4_sshd_protocol.sh renamed: bin/hardening/9.3.2_sshd_loglevel.sh -> bin/hardening/5.2.5_sshd_loglevel.sh renamed: bin/hardening/9.3.4_disable_x11_forwarding.sh -> bin/hardening/5.2.6_disable_x11_forwarding.sh renamed: bin/hardening/9.3.5_sshd_maxauthtries.sh -> bin/hardening/5.2.7_sshd_maxauthtries.sh renamed: bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh -> bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh renamed: bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh -> bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh renamed: tests/hardening/9.3.9_disable_sshd_permitemptypasswords.sh -> tests/hardening/5.2.10_disable_root_login.sh renamed: tests/hardening/9.3.8_disable_root_login.sh -> tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh renamed: tests/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh -> tests/hardening/5.2.12_disable_sshd_setenv.sh renamed: tests/hardening/9.3.6_enable_sshd_ignorerhosts.sh -> tests/hardening/5.2.13_sshd_ciphers.sh renamed: tests/hardening/99.5.2.2_ssh_cry_mac.sh -> tests/hardening/5.2.14_ssh_cry_mac.sh renamed: tests/hardening/99.5.2.1_ssh_cry_kex.sh -> tests/hardening/5.2.15_ssh_cry_kex.sh renamed: tests/hardening/9.3.5_sshd_maxauthtries.sh -> tests/hardening/5.2.16_sshd_idle_timeout.sh renamed: tests/hardening/9.3.4_disable_x11_forwarding.sh -> tests/hardening/5.2.18_sshd_limit_access.sh renamed: tests/hardening/9.3.3_sshd_conf_perm_ownership.sh -> tests/hardening/5.2.19_ssh_banner.sh renamed: tests/hardening/9.3.1_sshd_protocol.sh -> tests/hardening/5.2.1_sshd_conf_perm_ownership.sh renamed: tests/hardening/9.3.14_ssh_banner.sh -> tests/hardening/5.2.4_sshd_protocol.sh renamed: tests/hardening/9.3.2_sshd_loglevel.sh -> tests/hardening/5.2.5_sshd_loglevel.sh renamed: tests/hardening/9.3.13_sshd_limit_access.sh -> tests/hardening/5.2.6_disable_x11_forwarding.sh renamed: tests/hardening/9.3.12_sshd_idle_timeout.sh -> tests/hardening/5.2.7_sshd_maxauthtries.sh renamed: tests/hardening/9.3.11_sshd_ciphers.sh -> tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh renamed: tests/hardening/9.3.10_disable_sshd_setenv.sh -> tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh 2019-09-11 17:12:54 +02:00			`# 5.2.8 Set SSH IgnoreRhosts to Yes (Scored)`
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00			`#`

			`set -e # One error, it's over`
			`set -u # One variable unset, it's over`

IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) 2020-11-27 09:18:00 +01:00			`# shellcheck disable=2034`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00			`HARDENING_LEVEL=2`
IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) 2020-11-27 09:18:00 +01:00			`# shellcheck disable=2034`
Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main Update README with --batch mode info Add --batch mode in hardening.sh Change summary to make it oneliner when batch mode AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74 2017-10-31 17:44:15 +01:00			`DESCRIPTION="Set SSH IgnoreRhosts to Yes."`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00			`PACKAGE='openssh-server'`
IMP(5.2.x): add tests and default_config I added tests from 5.2.4 to 5.2.19 and default_config files in the checks. This checks concern sshd conf (ciphers, mac, rootlogin, ...) modifié : bin/hardening/5.2.4_sshd_protocol.sh modifié : bin/hardening/5.2.6_disable_x11_forwarding.sh modifié : bin/hardening/5.2.7_sshd_maxauthtries.sh modifié : bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : bin/hardening/5.2.10_disable_root_login.sh modifié : bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : bin/hardening/5.2.12_disable_sshd_setenv.sh modifié : bin/hardening/5.2.13_sshd_ciphers.sh modifié : bin/hardening/5.2.16_sshd_idle_timeout.sh modifié : bin/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.4_sshd_protocol.sh modifié : tests/hardening/5.2.5_sshd_loglevel.sh modifié : tests/hardening/5.2.6_disable_x11_forwarding.sh modifié : tests/hardening/5.2.7_sshd_maxauthtries.sh modifié : tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : tests/hardening/5.2.10_disable_root_login.sh modifié : tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : tests/hardening/5.2.12_disable_sshd_setenv.sh modifié : tests/hardening/5.2.13_sshd_ciphers.sh modifié : tests/hardening/5.2.16_sshd_idle_timeout.sh modifié : tests/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.18_sshd_limit_access.sh modifié : tests/hardening/5.2.19_ssh_banner.sh 2020-10-29 11:18:31 +01:00			`OPTIONS=''`
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00			`FILE='/etc/ssh/sshd_config'`

			`# This function will be called if the script status is on enabled / audit mode`
			`audit () {`
IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00			`is_pkg_installed "$PACKAGE"`
			`if [ "$FNRET" != 0 ]; then`
Rephrase confusing messages 2016-04-21 18:32:36 +02:00			`crit "$PACKAGE is not installed!"`
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00			`else`
			`ok "$PACKAGE is installed"`
			`for SSH_OPTION in $OPTIONS; do`
			`SSH_PARAM=$(echo $SSH_OPTION \| cut -d= -f 1)`
			`SSH_VALUE=$(echo $SSH_OPTION \| cut -d= -f 2)`
			`PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"`
debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00			`does_pattern_exist_in_file $FILE "$PATTERN"`
IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00			`if [ "$FNRET" = 0 ]; then`
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00			`ok "$PATTERN is present in $FILE"`
			`else`
			`crit "$PATTERN is not present in $FILE"`
			`fi`
			`done`
			`fi`
			`}`

			`# This function will be called if the script status is on enabled mode`
			`apply () {`
IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00			`is_pkg_installed "$PACKAGE"`
			`if [ "$FNRET" = 0 ]; then`
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00			`ok "$PACKAGE is installed"`
			`else`
			`crit "$PACKAGE is absent, installing it"`
			`apt_install $PACKAGE`
			`fi`
			`for SSH_OPTION in $OPTIONS; do`
			`SSH_PARAM=$(echo $SSH_OPTION \| cut -d= -f 1)`
			`SSH_VALUE=$(echo $SSH_OPTION \| cut -d= -f 2)`
			`PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"`
debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00			`does_pattern_exist_in_file $FILE "$PATTERN"`
IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00			`if [ "$FNRET" = 0 ]; then`
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00			`ok "$PATTERN is present in $FILE"`
			`else`
debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00			`warn "$PATTERN is not present in $FILE, adding it"`
			`does_pattern_exist_in_file $FILE "^$SSH_PARAM"`
IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00			`if [ "$FNRET" != 0 ]; then`
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00			`add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"`
			`else`
Rephrase confusing messages 2016-04-21 18:32:36 +02:00			`info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"`
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00			`replace_in_file $FILE "^$SSH_PARAM[[:space:]]." "$SSH_PARAM $SSH_VALUE"`
			`fi`
			`/etc/init.d/ssh reload`
			`fi`
			`done`
			`}`

			`# This function will check config parameters required`
			`check_config() {`
			`:`
			`}`

IMP(5.2.x): add tests and default_config I added tests from 5.2.4 to 5.2.19 and default_config files in the checks. This checks concern sshd conf (ciphers, mac, rootlogin, ...) modifié : bin/hardening/5.2.4_sshd_protocol.sh modifié : bin/hardening/5.2.6_disable_x11_forwarding.sh modifié : bin/hardening/5.2.7_sshd_maxauthtries.sh modifié : bin/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : bin/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : bin/hardening/5.2.10_disable_root_login.sh modifié : bin/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : bin/hardening/5.2.12_disable_sshd_setenv.sh modifié : bin/hardening/5.2.13_sshd_ciphers.sh modifié : bin/hardening/5.2.16_sshd_idle_timeout.sh modifié : bin/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.4_sshd_protocol.sh modifié : tests/hardening/5.2.5_sshd_loglevel.sh modifié : tests/hardening/5.2.6_disable_x11_forwarding.sh modifié : tests/hardening/5.2.7_sshd_maxauthtries.sh modifié : tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh modifié : tests/hardening/5.2.9_disable_sshd_hostbasedauthentication.sh modifié : tests/hardening/5.2.10_disable_root_login.sh modifié : tests/hardening/5.2.11_disable_sshd_permitemptypasswords.sh modifié : tests/hardening/5.2.12_disable_sshd_setenv.sh modifié : tests/hardening/5.2.13_sshd_ciphers.sh modifié : tests/hardening/5.2.16_sshd_idle_timeout.sh modifié : tests/hardening/5.2.17_sshd_login_grace_time.sh modifié : tests/hardening/5.2.18_sshd_limit_access.sh modifié : tests/hardening/5.2.19_ssh_banner.sh 2020-10-29 11:18:31 +01:00			`create_config() {`
			`cat << EOF`
			`# shellcheck disable=2034`
			`status=audit`
			`# Put here the rhosts boolean for ssh`
			`OPTIONS='IgnoreRhosts=yes'`
			`EOF`
			`}`
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00			`# Source Root Dir Parameter`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`if [ -r /etc/default/cis-hardening ]; then`
IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) 2020-11-27 09:18:00 +01:00			`# shellcheck source=../../debian/default`
Corrected default file path 2016-04-18 17:39:14 +02:00			`. /etc/default/cis-hardening`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`fi`
			`if [ -z "$CIS_ROOT_DIR" ]; then`
Expand tabs to 4 spaces and trim trailing spaces 2017-11-17 15:13:27 +01:00			`echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`echo "Cannot source CIS_ROOT_DIR variable, aborting."`
			`exit 128`
			`fi`
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00
			`# Main function, will call the proper functions given the configuration (audit, enabled, disabled)`
IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00			`if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then`
IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) 2020-11-27 09:18:00 +01:00			`# shellcheck source=../../lib/main.sh`
IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00			`. "$CIS_ROOT_DIR"/lib/main.sh`
Fixed default file error handling and quickstart 2016-04-21 23:19:50 +02:00			`else`
			`echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"`
			`exit 128`
			`fi`