mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-24 22:41:24 +01:00
feat: official Debian 11 compatibility (#176)
Introduce Debian 11 compatibility Based on CIS_Debian_Linux_11_Benchmark_v1.0.0 After review, here are the notable changes : - Harden /var/log more (noexec,nodev,nosuid) - Harden /var/log/audit more (noexec,nodev,nosuid) - Harden /home more (nosuid) - Disable cramfs - Fix 5.3.4_acc_pam_sha512.sh - Deprecate Debian 9 and remove useless docker images NB : more audit log rules have been introduced and will be inserted in the checks later Fix #158
This commit is contained in:
parent
05521d5961
commit
04457e7df2
7
.github/workflows/functionnal-tests.yml
vendored
7
.github/workflows/functionnal-tests.yml
vendored
@ -4,13 +4,6 @@ on:
|
|||||||
- pull_request
|
- pull_request
|
||||||
- push
|
- push
|
||||||
jobs:
|
jobs:
|
||||||
functionnal-tests-docker-debian9:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Checkout repo
|
|
||||||
uses: actions/checkout@v3
|
|
||||||
- name: Run the tests debian9
|
|
||||||
run: ./tests/docker_build_and_run_tests.sh debian9
|
|
||||||
functionnal-tests-docker-debian10:
|
functionnal-tests-docker-debian10:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
@ -1,7 +1,4 @@
|
|||||||
# :lock: CIS Debian 9/10 Hardening
|
# :lock: CIS Debian 10/11 Hardening
|
||||||
|
|
||||||
:tada: **News**: this project is back in the game and is from now on maintained. Be free to use and to
|
|
||||||
report issues if you find any!
|
|
||||||
|
|
||||||
|
|
||||||
<p align="center">
|
<p align="center">
|
||||||
@ -16,7 +13,7 @@ report issues if you find any!
|
|||||||
![License](https://img.shields.io/github/license/ovh/debian-cis)
|
![License](https://img.shields.io/github/license/ovh/debian-cis)
|
||||||
---
|
---
|
||||||
|
|
||||||
Modular Debian 9/10 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
|
Modular Debian 10/11 security hardening scripts based on [cisecurity.org](https://www.cisecurity.org)
|
||||||
recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
|
recommendations. We use it at [OVHcloud](https://www.ovhcloud.com) to harden our PCI-DSS infrastructure.
|
||||||
|
|
||||||
```console
|
```console
|
||||||
@ -172,7 +169,7 @@ Functional tests are available. They are to be run in a Docker environment.
|
|||||||
$ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
|
$ ./tests/docker_build_and_run_tests.sh <target> [name of test script...]
|
||||||
```
|
```
|
||||||
|
|
||||||
With `target` being like `debian9` or `debian10`.
|
With `target` being like `debian10` or `debian11`.
|
||||||
|
|
||||||
Running without script arguments will run all tests in `./tests/hardening/` directory.
|
Running without script arguments will run all tests in `./tests/hardening/` directory.
|
||||||
Or you can specify one or several test script to be run.
|
Or you can specify one or several test script to be run.
|
||||||
|
76
bin/hardening/1.1.1.8_disable_cramfs.sh
Executable file
76
bin/hardening/1.1.1.8_disable_cramfs.sh
Executable file
@ -0,0 +1,76 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.1.1.1 Ensure Mounting of cramfs filesystems is disabled (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Disable mounting of cramfs filesystems."
|
||||||
|
|
||||||
|
KERNEL_OPTION="CONFIG_CRAMFS"
|
||||||
|
MODULE_NAME="cramfs"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit() {
|
||||||
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
|
ok "Container detected, consider host enforcing or disable this check!"
|
||||||
|
else
|
||||||
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
crit "$MODULE_NAME is enabled!"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply() {
|
||||||
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||||
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||||
|
ok "Container detected, consider host enforcing!"
|
||||||
|
else
|
||||||
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
|
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||||
|
else
|
||||||
|
ok "$MODULE_NAME is disabled"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
92
bin/hardening/1.1.11.1_var_log_noexec.sh
Executable file
92
bin/hardening/1.1.11.1_var_log_noexec.sh
Executable file
@ -0,0 +1,92 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.1.11.1 Ensure noexec option set on /var/log partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="/var/log partition with noexec option."
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/var/log"
|
||||||
|
OPTION="noexec"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit() {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply() {
|
||||||
|
if [ "$FNRET" = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ "$FNRET" = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ "$FNRET" = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
elif [ "$FNRET" = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
92
bin/hardening/1.1.11.2_var_log_nosuid.sh
Executable file
92
bin/hardening/1.1.11.2_var_log_nosuid.sh
Executable file
@ -0,0 +1,92 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.1.11.2 Ensure nosuid option set on /var/log partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="/var/log partition with nosuid option."
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/var/log"
|
||||||
|
OPTION="nosuid"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit() {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply() {
|
||||||
|
if [ "$FNRET" = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ "$FNRET" = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ "$FNRET" = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
elif [ "$FNRET" = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
92
bin/hardening/1.1.11.3_var_log_nodev.sh
Executable file
92
bin/hardening/1.1.11.3_var_log_nodev.sh
Executable file
@ -0,0 +1,92 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.1.11.3 ensure nodev option set on /var/log partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="/var/log partition with nodev option."
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/var/log"
|
||||||
|
OPTION="nodev"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit() {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply() {
|
||||||
|
if [ "$FNRET" = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ "$FNRET" = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ "$FNRET" = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
elif [ "$FNRET" = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
92
bin/hardening/1.1.12.1_var_log_audit_noexec.sh
Executable file
92
bin/hardening/1.1.12.1_var_log_audit_noexec.sh
Executable file
@ -0,0 +1,92 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.1.12.1 Ensure noexec option set on /var/log/audit partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="/var/log/audit partition with noexec option."
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/var/log/audit"
|
||||||
|
OPTION="noexec"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit() {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply() {
|
||||||
|
if [ "$FNRET" = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ "$FNRET" = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ "$FNRET" = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
elif [ "$FNRET" = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
92
bin/hardening/1.1.12.2_var_log_audit_nosuid.sh
Executable file
92
bin/hardening/1.1.12.2_var_log_audit_nosuid.sh
Executable file
@ -0,0 +1,92 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.1.12.2 Ensure nosuid option set on /var/log/audit partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="/var/log/audit partition with nosuid option."
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/var/log/audit"
|
||||||
|
OPTION="nosuid"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit() {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply() {
|
||||||
|
if [ "$FNRET" = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ "$FNRET" = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ "$FNRET" = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
elif [ "$FNRET" = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
92
bin/hardening/1.1.12.3_var_log_audit_nodev.sh
Executable file
92
bin/hardening/1.1.12.3_var_log_audit_nodev.sh
Executable file
@ -0,0 +1,92 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.1.12.3 Ensure nodev option set on /var/log/audit partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="/var/log/audit partition with nodev option."
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/var/log/audit"
|
||||||
|
OPTION="nodev"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit() {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply() {
|
||||||
|
if [ "$FNRET" = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ "$FNRET" = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ "$FNRET" = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
elif [ "$FNRET" = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
92
bin/hardening/1.1.14.1_home_nosuid.sh
Executable file
92
bin/hardening/1.1.14.1_home_nosuid.sh
Executable file
@ -0,0 +1,92 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.1.14.1 Ensure nosuid option set on /home partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="/home partition with nosuid option."
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/home"
|
||||||
|
OPTION="nosuid"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit() {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply() {
|
||||||
|
if [ "$FNRET" = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ "$FNRET" = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ "$FNRET" = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
elif [ "$FNRET" = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
92
bin/hardening/1.1.6.1_var_nodev.sh
Executable file
92
bin/hardening/1.1.6.1_var_nodev.sh
Executable file
@ -0,0 +1,92 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.1.6.1 Ensure nodev option set for /var Partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="/var partition with nodev option."
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/var"
|
||||||
|
OPTION="nodev"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit() {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply() {
|
||||||
|
if [ "$FNRET" = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ "$FNRET" = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ "$FNRET" = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
elif [ "$FNRET" = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
92
bin/hardening/1.1.6.2_var_nosuid.sh
Executable file
92
bin/hardening/1.1.6.2_var_nosuid.sh
Executable file
@ -0,0 +1,92 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.1.6.2 Ensure nosuid option set for /var Partition (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="/var partition with nosuid option."
|
||||||
|
|
||||||
|
# Quick factoring as many script use the same logic
|
||||||
|
PARTITION="/var"
|
||||||
|
OPTION="nosuid"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit() {
|
||||||
|
info "Verifying that $PARTITION is a partition"
|
||||||
|
FNRET=0
|
||||||
|
is_a_partition "$PARTITION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION is not a partition"
|
||||||
|
FNRET=2
|
||||||
|
else
|
||||||
|
ok "$PARTITION is a partition"
|
||||||
|
has_mount_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
crit "$PARTITION has no option $OPTION in fstab!"
|
||||||
|
FNRET=1
|
||||||
|
else
|
||||||
|
ok "$PARTITION has $OPTION in fstab"
|
||||||
|
has_mounted_option "$PARTITION" "$OPTION"
|
||||||
|
if [ "$FNRET" -gt 0 ]; then
|
||||||
|
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||||
|
FNRET=3
|
||||||
|
else
|
||||||
|
ok "$PARTITION mounted with $OPTION"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply() {
|
||||||
|
if [ "$FNRET" = 0 ]; then
|
||||||
|
ok "$PARTITION is correctly set"
|
||||||
|
elif [ "$FNRET" = 2 ]; then
|
||||||
|
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
|
||||||
|
elif [ "$FNRET" = 1 ]; then
|
||||||
|
info "Adding $OPTION to fstab"
|
||||||
|
add_option_to_fstab "$PARTITION" "$OPTION"
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
elif [ "$FNRET" = 3 ]; then
|
||||||
|
info "Remounting $PARTITION from fstab"
|
||||||
|
remount_partition "$PARTITION"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
# No param for this script
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
69
bin/hardening/1.6.3.1_disable_apport.sh
Executable file
69
bin/hardening/1.6.3.1_disable_apport.sh
Executable file
@ -0,0 +1,69 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.6.3.1 Ensure apport is disabled (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Disable apport to avoid confidential data leaks."
|
||||||
|
|
||||||
|
PACKAGE='apport'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit() {
|
||||||
|
is_pkg_installed "$PACKAGE"
|
||||||
|
if [ "$FNRET" = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed!"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply() {
|
||||||
|
is_pkg_installed "$PACKAGE"
|
||||||
|
if [ "$FNRET" = 0 ]; then
|
||||||
|
crit "$PACKAGE is installed, purging it"
|
||||||
|
apt-get purge "$PACKAGE" -y
|
||||||
|
apt-get autoremove
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is absent"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
@ -15,7 +15,7 @@ set -u # One variable unset, it's over
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
HARDENING_LEVEL=2
|
HARDENING_LEVEL=2
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
|
DESCRIPTION="Check that any password that may exist in /etc/shadow is yescrypt (or SHA512 for debian 10) hashed and salted"
|
||||||
|
|
||||||
CONF_FILE="/etc/pam.d/common-password"
|
CONF_FILE="/etc/pam.d/common-password"
|
||||||
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
|
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
|
||||||
@ -26,6 +26,9 @@ audit() {
|
|||||||
if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then
|
if $SUDO_CMD [ ! -r "$CONF_FILE" ]; then
|
||||||
crit "$CONF_FILE is not readable"
|
crit "$CONF_FILE is not readable"
|
||||||
else
|
else
|
||||||
|
if [ "$DEB_MAJ_VER" -ge "11" ]; then
|
||||||
|
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*yescrypt" # https://github.com/ovh/debian-cis/issues/158
|
||||||
|
fi
|
||||||
# shellcheck disable=SC2001
|
# shellcheck disable=SC2001
|
||||||
does_pattern_exist_in_file "$CONF_FILE" "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
|
does_pattern_exist_in_file "$CONF_FILE" "$(sed 's/ /[[:space:]]+/g' <<<"$CONF_LINE")"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -47,7 +50,11 @@ apply() {
|
|||||||
ok "$CONF_LINE is present in $CONF_FILE"
|
ok "$CONF_LINE is present in $CONF_FILE"
|
||||||
else
|
else
|
||||||
warn "$CONF_LINE is not present in $CONF_FILE"
|
warn "$CONF_LINE is not present in $CONF_FILE"
|
||||||
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
|
if [ "$DEB_MAJ_VER" -ge "11" ]; then
|
||||||
|
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
|
||||||
|
else
|
||||||
|
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -57,6 +57,6 @@ get_distribution
|
|||||||
get_debian_major_version
|
get_debian_major_version
|
||||||
|
|
||||||
# shellcheck disable=SC2034
|
# shellcheck disable=SC2034
|
||||||
SMALLEST_SUPPORTED_DEBIAN_VERSION=9
|
SMALLEST_SUPPORTED_DEBIAN_VERSION=10
|
||||||
# shellcheck disable=SC2034
|
# shellcheck disable=SC2034
|
||||||
HIGHEST_SUPPORTED_DEBIAN_VERSION=10
|
HIGHEST_SUPPORTED_DEBIAN_VERSION=11
|
||||||
|
@ -1,22 +0,0 @@
|
|||||||
FROM debian:jessie
|
|
||||||
|
|
||||||
LABEL vendor="OVH"
|
|
||||||
LABEL project="debian-cis"
|
|
||||||
LABEL url="https://github.com/ovh/debian-cis"
|
|
||||||
LABEL description="This image is used to run tests"
|
|
||||||
|
|
||||||
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
|
|
||||||
|
|
||||||
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
|
|
||||||
|
|
||||||
COPY --chown=500:500 . /opt/debian-cis/
|
|
||||||
|
|
||||||
COPY debian/default /etc/default/cis-hardening
|
|
||||||
RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
|
|
||||||
|
|
||||||
COPY cisharden.sudoers /etc/sudoers.d/secaudit
|
|
||||||
RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
|
|
||||||
|
|
||||||
|
|
||||||
ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]
|
|
||||||
|
|
@ -1,22 +0,0 @@
|
|||||||
FROM debian:stretch
|
|
||||||
|
|
||||||
LABEL vendor="OVH"
|
|
||||||
LABEL project="debian-cis"
|
|
||||||
LABEL url="https://github.com/ovh/debian-cis"
|
|
||||||
LABEL description="This image is used to run tests"
|
|
||||||
|
|
||||||
RUN groupadd -g 500 secaudit && useradd -u 500 -g 500 -s /bin/bash secaudit && install -m 700 -o secaudit -g secaudit -d /home/secaudit
|
|
||||||
|
|
||||||
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server sudo syslog-ng net-tools auditd
|
|
||||||
|
|
||||||
COPY --chown=500:500 . /opt/debian-cis/
|
|
||||||
|
|
||||||
COPY debian/default /etc/default/cis-hardening
|
|
||||||
RUN sed -i 's#cis-hardening#debian-cis#' /etc/default/cis-hardening
|
|
||||||
|
|
||||||
COPY cisharden.sudoers /etc/sudoers.d/secaudit
|
|
||||||
RUN sed -i 's#cisharden#secaudit#' /etc/sudoers.d/secaudit
|
|
||||||
|
|
||||||
|
|
||||||
ENTRYPOINT ["/opt/debian-cis/tests/launch_tests.sh"]
|
|
||||||
|
|
20
tests/hardening/1.1.1.8_disable_cramfs.sh
Normal file
20
tests/hardening/1.1.1.8_disable_cramfs.sh
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
if [ -f "/.dockerenv" ]; then
|
||||||
|
skip "SKIPPED on docker"
|
||||||
|
else
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
fi
|
||||||
|
|
||||||
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
|
}
|
16
tests/hardening/1.1.11.1_var_log_noexec.sh
Normal file
16
tests/hardening/1.1.11.1_var_log_noexec.sh
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
|
}
|
16
tests/hardening/1.1.11.2_var_log_nosuid.sh
Normal file
16
tests/hardening/1.1.11.2_var_log_nosuid.sh
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
|
}
|
16
tests/hardening/1.1.11.3_var_log_nodev.sh
Normal file
16
tests/hardening/1.1.11.3_var_log_nodev.sh
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
|
}
|
16
tests/hardening/1.1.12.1_var_log_audit_noexec.sh
Normal file
16
tests/hardening/1.1.12.1_var_log_audit_noexec.sh
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
|
}
|
16
tests/hardening/1.1.12.2_var_log_audit_nosuid.sh
Normal file
16
tests/hardening/1.1.12.2_var_log_audit_nosuid.sh
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
|
}
|
16
tests/hardening/1.1.12.3_var_log_audit_nodev.sh
Normal file
16
tests/hardening/1.1.12.3_var_log_audit_nodev.sh
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
|
}
|
16
tests/hardening/1.1.14.1_home_nosuid.sh
Normal file
16
tests/hardening/1.1.14.1_home_nosuid.sh
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
|
}
|
16
tests/hardening/1.1.6.1_var_nodev.sh
Normal file
16
tests/hardening/1.1.6.1_var_nodev.sh
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
|
}
|
16
tests/hardening/1.1.6.2_var_nosuid.sh
Normal file
16
tests/hardening/1.1.6.2_var_nosuid.sh
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
|
}
|
16
tests/hardening/1.6.3.1_disable_apport.sh
Normal file
16
tests/hardening/1.6.3.1_disable_apport.sh
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
|
}
|
@ -3,7 +3,7 @@
|
|||||||
test_audit() {
|
test_audit() {
|
||||||
describe Running on blank host
|
describe Running on blank host
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "[ OK ] ^\s*password\s.+\s+pam_unix\.so\s+.*sha512 is present in /etc/pam.d/common-password"
|
register_test contain REGEX "[ OK ] .*(sha512|yescrypt) is present in /etc/pam.d/common-password"
|
||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user