9.1.3_cron_hourly_perm_ownership.sh 9.1.4_cron_daily_perm_ownership.sh 9.1.5_cron_weekly_perm_ownership.sh 9.1.6_cron_monthly_perm_ownership.sh 9.1.7_cron_d_perm_ownership.sh 9.1.8_cron_users.sh

2024-11-21 21:17:00 +01:00 · 2016-04-15 10:18:23 +02:00 · 2016-04-15 10:18:23 +02:00 · 0407ebe362
commit 0407ebe362
parent 95d4936fbc
21 changed files with 558 additions and 9 deletions
--- a/bin/hardening/2.18_disable_cramfs.sh
+++ b/bin/hardening/2.18_disable_cramfs.sh
@ -12,7 +12,7 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

-# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz
+# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
 KERNEL_OPTION="cramfs"


--- a/bin/hardening/2.19_disable_freevxfs.sh
+++ b/bin/hardening/2.19_disable_freevxfs.sh
@ -12,7 +12,7 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

-# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz
+# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
 KERNEL_OPTION="freevxfs"


--- a/bin/hardening/2.20_disable_jffs2.sh
+++ b/bin/hardening/2.20_disable_jffs2.sh
@ -12,7 +12,7 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

-# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz
+# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
 KERNEL_OPTION="jffs2"


--- a/bin/hardening/2.21_disable_hfs.sh
+++ b/bin/hardening/2.21_disable_hfs.sh
@ -12,7 +12,7 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

-# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz
+# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
 KERNEL_OPTION="hfs"


--- a/bin/hardening/2.22_disable_hfsplus.sh
+++ b/bin/hardening/2.22_disable_hfsplus.sh
@ -12,7 +12,7 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

-# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz
+# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
 KERNEL_OPTION="hfsplus"


--- a/bin/hardening/2.23_disable_squashfs.sh
+++ b/bin/hardening/2.23_disable_squashfs.sh
@ -12,7 +12,7 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

-# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz
+# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
 KERNEL_OPTION="squashfs"


--- a/bin/hardening/2.24_disable_udf.sh
+++ b/bin/hardening/2.24_disable_udf.sh
@ -12,7 +12,7 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

-# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz
+# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
 KERNEL_OPTION="udf"


--- a/bin/hardening/8.1.18_freeze_auditd_conf.sh
+++ b/bin/hardening/8.1.18_freeze_auditd_conf.sh
@ -6,7 +6,7 @@
 #

 #
-# 8.1.17 Collect Kernel Module Loading and Unloading (Scored)
+# 8.1.18 Make the Audit Configuration Immutable (Scored)
 #

 set -e # One error, it's over
--- a/bin/hardening/8.3.1_install_tripwire.sh
+++ b/bin/hardening/8.3.1_install_tripwire.sh
@ -6,7 +6,7 @@
 #

 #
-# 8.2.1 Install the syslog-ng package (Scored)
+# 8.3.1 Install tripwire package (Scored)
 #

 set -e # One error, it's over
--- a/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh
+++ b/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh
@ -0,0 +1,85 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 9.1.3 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+FILE='/etc/cron.hourly'
+PERMISSIONS='700'
+USER='root'
+GROUP='root'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        crit "$FILE is not $USER:$GROUP ownership set"
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        crit "$FILE has not $PERMISSIONS permissions set"
+    fi 
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    does_file_exist $FILE
+    if [ $FNRET != 0 ]; then
+        info "$FILE does not exist"
+        touch $FILE
+    fi
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "$FILE is not $USER:$GROUP ownership set"
+        chown $USER:$GROUP $FILE
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0$PERMISSIONS $FILE
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist $USER
+    if [ $FNRET != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ $FNRET != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
--- a/bin/hardening/9.1.4_cron_daily_perm_ownership.sh
+++ b/bin/hardening/9.1.4_cron_daily_perm_ownership.sh
@ -0,0 +1,85 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 9.1.4 Set User/Group Owner and Permission on /etc/cron.daily (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+FILE='/etc/cron.daily'
+PERMISSIONS='700'
+USER='root'
+GROUP='root'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        crit "$FILE is not $USER:$GROUP ownership set"
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        crit "$FILE has not $PERMISSIONS permissions set"
+    fi 
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    does_file_exist $FILE
+    if [ $FNRET != 0 ]; then
+        info "$FILE does not exist"
+        touch $FILE
+    fi
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "$FILE is not $USER:$GROUP ownership set"
+        chown $USER:$GROUP $FILE
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0$PERMISSIONS $FILE
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist $USER
+    if [ $FNRET != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ $FNRET != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
--- a/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh
+++ b/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh
@ -0,0 +1,85 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 9.1.5 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+FILE='/etc/cron.weekly'
+PERMISSIONS='700'
+USER='root'
+GROUP='root'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        crit "$FILE is not $USER:$GROUP ownership set"
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        crit "$FILE has not $PERMISSIONS permissions set"
+    fi 
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    does_file_exist $FILE
+    if [ $FNRET != 0 ]; then
+        info "$FILE does not exist"
+        touch $FILE
+    fi
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "$FILE is not $USER:$GROUP ownership set"
+        chown $USER:$GROUP $FILE
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0$PERMISSIONS $FILE
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist $USER
+    if [ $FNRET != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ $FNRET != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
--- a/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh
+++ b/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh
@ -0,0 +1,85 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 9.1.6 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+FILE='/etc/cron.monthly'
+PERMISSIONS='700'
+USER='root'
+GROUP='root'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        crit "$FILE is not $USER:$GROUP ownership set"
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        crit "$FILE has not $PERMISSIONS permissions set"
+    fi 
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    does_file_exist $FILE
+    if [ $FNRET != 0 ]; then
+        info "$FILE does not exist"
+        touch $FILE
+    fi
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "$FILE is not $USER:$GROUP ownership set"
+        chown $USER:$GROUP $FILE
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0$PERMISSIONS $FILE
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist $USER
+    if [ $FNRET != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ $FNRET != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
--- a/bin/hardening/9.1.7_cron_d_perm_ownership.sh
+++ b/bin/hardening/9.1.7_cron_d_perm_ownership.sh
@ -0,0 +1,85 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+FILE='/etc/cron.d'
+PERMISSIONS='700'
+USER='root'
+GROUP='root'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        crit "$FILE is not $USER:$GROUP ownership set"
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        crit "$FILE has not $PERMISSIONS permissions set"
+    fi 
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    does_file_exist $FILE
+    if [ $FNRET != 0 ]; then
+        info "$FILE does not exist"
+        touch $FILE
+    fi
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "$FILE is not $USER:$GROUP ownership set"
+        chown $USER:$GROUP $FILE
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0$PERMISSIONS $FILE
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist $USER
+    if [ $FNRET != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ $FNRET != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
--- a/bin/hardening/9.1.8_cron_users.sh
+++ b/bin/hardening/9.1.8_cron_users.sh
@ -0,0 +1,112 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 9.1.8 Restrict at/cron to Authorized Users (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+FILES_ABSENT='/etc/cron.deny /etc/at.deny'
+FILES_PRESENT='/etc/cron.allow /etc/at.allow'
+PERMISSIONS='600'
+USER='root'
+GROUP='root'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    for FILE in $FILES_ABSENT; do
+        does_file_exist $FILE
+        if [ $FNRET = 0 ]; then
+            crit "$FILE exists"
+        else
+            ok "$FILE is absent"
+        fi
+    done
+    for FILE in $FILES_PRESENT; do
+        does_file_exist $FILE
+        if [ $FNRET != 0 ]; then
+            crit "$FILE is absent"
+        else
+            has_file_correct_ownership $FILE $USER $GROUP
+            if [ $FNRET = 0 ]; then
+                ok "$FILE has correct ownership"
+            else
+                crit "$FILE is not $USER:$GROUP ownership set"
+            fi
+            has_file_correct_permissions $FILE $PERMISSIONS
+            if [ $FNRET = 0 ]; then
+                ok "$FILE has correct permissions"
+            else
+                crit "$FILE has not $PERMISSIONS permissions set"
+            fi 
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    for FILE in $FILES_ABSENT; do
+        does_file_exist $FILE
+        if [ $FNRET = 0 ]; then
+            warn "$FILE exists"
+            rm $FILE
+        else
+            ok "$FILE is absent"
+        fi
+    done
+    for FILE in $FILES_PRESENT; do
+        does_file_exist $FILE
+        if [ $FNRET != 0 ]; then
+            warn "$FILE is absent"
+            touch $FILE
+        fi
+        has_file_correct_ownership $FILE $USER $GROUP
+        if [ $FNRET = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "$FILE is not $USER:$GROUP ownership set"
+            chown $USER:$GROUP $FILE
+        fi
+        has_file_correct_permissions $FILE $PERMISSIONS
+        if [ $FNRET = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            warn "$FILE has not $PERMISSIONS permissions set"
+            chmod 0$PERMISSIONS $FILE
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist $USER
+    if [ $FNRET != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ $FNRET != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
--- a/etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg
+++ b/etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg
@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
--- a/etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg
+++ b/etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg
@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
--- a/etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg
+++ b/etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg
@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
--- a/etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg
+++ b/etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg
@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
--- a/etc/conf.d/9.1.7_cron_d_perm_ownership.cfg
+++ b/etc/conf.d/9.1.7_cron_d_perm_ownership.cfg
@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
--- a/etc/conf.d/9.1.8_cron_users.cfg
+++ b/etc/conf.d/9.1.8_cron_users.cfg
@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled