diff --git a/bin/hardening/2.18_disable_cramfs.sh b/bin/hardening/2.18_disable_cramfs.sh index c937dd8..2fa2d47 100755 --- a/bin/hardening/2.18_disable_cramfs.sh +++ b/bin/hardening/2.18_disable_cramfs.sh @@ -12,7 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over -# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz KERNEL_OPTION="cramfs" diff --git a/bin/hardening/2.19_disable_freevxfs.sh b/bin/hardening/2.19_disable_freevxfs.sh index a662581..e8e8429 100755 --- a/bin/hardening/2.19_disable_freevxfs.sh +++ b/bin/hardening/2.19_disable_freevxfs.sh @@ -12,7 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over -# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz KERNEL_OPTION="freevxfs" diff --git a/bin/hardening/2.20_disable_jffs2.sh b/bin/hardening/2.20_disable_jffs2.sh index 128ed16..a567953 100755 --- a/bin/hardening/2.20_disable_jffs2.sh +++ b/bin/hardening/2.20_disable_jffs2.sh @@ -12,7 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over -# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz KERNEL_OPTION="jffs2" diff --git a/bin/hardening/2.21_disable_hfs.sh b/bin/hardening/2.21_disable_hfs.sh index dc1c1d3..2f482e3 100755 --- a/bin/hardening/2.21_disable_hfs.sh +++ b/bin/hardening/2.21_disable_hfs.sh @@ -12,7 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over -# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz KERNEL_OPTION="hfs" diff --git a/bin/hardening/2.22_disable_hfsplus.sh b/bin/hardening/2.22_disable_hfsplus.sh index 3daea0d..98d0d6e 100755 --- a/bin/hardening/2.22_disable_hfsplus.sh +++ b/bin/hardening/2.22_disable_hfsplus.sh @@ -12,7 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over -# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz KERNEL_OPTION="hfsplus" diff --git a/bin/hardening/2.23_disable_squashfs.sh b/bin/hardening/2.23_disable_squashfs.sh index 5b0f089..08c7fb9 100755 --- a/bin/hardening/2.23_disable_squashfs.sh +++ b/bin/hardening/2.23_disable_squashfs.sh @@ -12,7 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over -# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz KERNEL_OPTION="squashfs" diff --git a/bin/hardening/2.24_disable_udf.sh b/bin/hardening/2.24_disable_udf.sh index e102bdc..e49ecb1 100755 --- a/bin/hardening/2.24_disable_udf.sh +++ b/bin/hardening/2.24_disable_udf.sh @@ -12,7 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over -# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz KERNEL_OPTION="udf" diff --git a/bin/hardening/8.1.18_freeze_auditd_conf.sh b/bin/hardening/8.1.18_freeze_auditd_conf.sh index f1d6a0c..0b20cbc 100755 --- a/bin/hardening/8.1.18_freeze_auditd_conf.sh +++ b/bin/hardening/8.1.18_freeze_auditd_conf.sh @@ -6,7 +6,7 @@ # # -# 8.1.17 Collect Kernel Module Loading and Unloading (Scored) +# 8.1.18 Make the Audit Configuration Immutable (Scored) # set -e # One error, it's over diff --git a/bin/hardening/8.3.1_install_tripwire.sh b/bin/hardening/8.3.1_install_tripwire.sh index fddce71..d3ec4d6 100755 --- a/bin/hardening/8.3.1_install_tripwire.sh +++ b/bin/hardening/8.3.1_install_tripwire.sh @@ -6,7 +6,7 @@ # # -# 8.2.1 Install the syslog-ng package (Scored) +# 8.3.1 Install tripwire package (Scored) # set -e # One error, it's over diff --git a/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh b/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh new file mode 100755 index 0000000..49d1c6b --- /dev/null +++ b/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.1.3 Set User/Group Owner and Permission on /etc/cron.hourly (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/cron.hourly' +PERMISSIONS='700' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.4_cron_daily_perm_ownership.sh b/bin/hardening/9.1.4_cron_daily_perm_ownership.sh new file mode 100755 index 0000000..75f43cf --- /dev/null +++ b/bin/hardening/9.1.4_cron_daily_perm_ownership.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.1.4 Set User/Group Owner and Permission on /etc/cron.daily (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/cron.daily' +PERMISSIONS='700' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh b/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh new file mode 100755 index 0000000..cb03ec0 --- /dev/null +++ b/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.1.5 Set User/Group Owner and Permission on /etc/cron.weekly (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/cron.weekly' +PERMISSIONS='700' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh b/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh new file mode 100755 index 0000000..9b531fd --- /dev/null +++ b/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.1.6 Set User/Group Owner and Permission on /etc/cron.monthly (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/cron.monthly' +PERMISSIONS='700' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.7_cron_d_perm_ownership.sh b/bin/hardening/9.1.7_cron_d_perm_ownership.sh new file mode 100755 index 0000000..4ce1da7 --- /dev/null +++ b/bin/hardening/9.1.7_cron_d_perm_ownership.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/cron.d' +PERMISSIONS='700' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.8_cron_users.sh b/bin/hardening/9.1.8_cron_users.sh new file mode 100755 index 0000000..ed15ed0 --- /dev/null +++ b/bin/hardening/9.1.8_cron_users.sh @@ -0,0 +1,112 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.1.8 Restrict at/cron to Authorized Users (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILES_ABSENT='/etc/cron.deny /etc/at.deny' +FILES_PRESENT='/etc/cron.allow /etc/at.allow' +PERMISSIONS='600' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for FILE in $FILES_ABSENT; do + does_file_exist $FILE + if [ $FNRET = 0 ]; then + crit "$FILE exists" + else + ok "$FILE is absent" + fi + done + for FILE in $FILES_PRESENT; do + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE is absent" + else + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for FILE in $FILES_ABSENT; do + does_file_exist $FILE + if [ $FNRET = 0 ]; then + warn "$FILE exists" + rm $FILE + else + ok "$FILE is absent" + fi + done + for FILE in $FILES_PRESENT; do + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE is absent" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + warn "$FILE has not $PERMISSIONS permissions set" + chmod 0$PERMISSIONS $FILE + fi + done +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg b/etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg b/etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg b/etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg b/etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.1.7_cron_d_perm_ownership.cfg b/etc/conf.d/9.1.7_cron_d_perm_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.1.7_cron_d_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.1.8_cron_users.cfg b/etc/conf.d/9.1.8_cron_users.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.1.8_cron_users.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled