hardening : building basic configuration

2024-11-22 05:27:01 +01:00 · 2016-04-01 09:52:39 +02:00 · 2016-04-01 09:52:39 +02:00 · 08da17be24
commit 08da17be24
parent 9a5e962cd4
5 changed files with 101 additions and 14 deletions
--- a/bin/hardening/1.1_Install_Updates.sh
+++ b/bin/hardening/1.1_Install_Updates.sh
@ -5,17 +5,70 @@
 #

 #
-# 1.1 Install Updates, Patches and Additional Security Software (Not Scored)
+# Hardening script skeleton replace this line with proper point treated
 #

-# This function will be called if the script status is ont enabled / audit mode
-audit () {
+set -e # One error, it's over
+set -u # One variable unset, it's over

+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    :
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-
+    :
 }

+# Environment Sanitizing
+export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

+# Source Root Dir Parameter
+
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+LONG_SCRIPT_NAME=$(basename $0)
+SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
+# Variable initialization, to avoid crash
+status=""
+params=""
+
+[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
+[ -r $CIS_ROOT_DIR/lib/utils.sh     ] && . $CIS_ROOT_DIR/lib/utils.sh
+[ -r $CIS_ROOT_DIR/lib/common.sh    ] && . $CIS_ROOT_DIR/lib/common.sh
+
+# Source general configuration file and Specific configuration file if exist
+
+[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg
+
+logger "Working on $SCRIPT_NAME"
+
+if [ -z $status ]; then
+    logger "Could not find status variable for $SCRIPT_NAME, considered as disabled"
+    exit 0
+fi
+
+case $status in
+    enabled | true ) 
+        audit $params # Perform audit
+        apply $params # Perform hardening
+        ;;
+    audit )
+        audit $params # Perform audit
+        ;;
+    disabled | false )
+        logger "$SCRIPT_NAME is disabled, ignoring"
+        ;;
+    *)
+        logger "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]"
+        ;;
+esac
--- a/etc/conf.d/.gitignore
+++ b/etc/conf.d/.gitignore
@ -0,0 +1 @@
+*.cfg
--- a/etc/hardening.cfg
+++ b/etc/hardening.cfg
@ -1,2 +1,5 @@
 # CIS Debian 7 Hardening
-# Main Configuration File 
+# Main Configuration File, put here global variables
+
+# Valid values are verbose info warning error
+LOGLEVEL=verbose
--- a/lib/common.sh
+++ b/lib/common.sh
@ -2,6 +2,6 @@

 logger() {
    test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0)
-    logger -i -t "$SCRIPT_NAME" -p "user.info" "$(date +%Y.%m.%d-%H:%M:%S) $*"
-    test -t 1 && echo "$(date +%Z-%Y.%m.%d-%H:%M:%S) $*"
+    /usr/bin/logger -i -t "$SCRIPT_NAME" -p "user.info" "$*"
+    test -t 1 && echo "$*"
 }
--- a/src/skel.sh
+++ b/src/skel.sh
@ -4,19 +4,21 @@
 # CIS Debian 7 Hardening
 #

-
 #
 # Hardening script skeleton replace this line with proper point treated
 #

-# This function will be called if the script status is ont enabled / audit mode
-audit () {
+set -e # One error, it's over
+set -u # One variable unset, it's over

+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    :
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-
+    :
 }

 # Environment Sanitizing
@ -34,11 +36,39 @@ else
    fi
 fi 

-SCRIPT_NAME=$(basename $0)
+LONG_SCRIPT_NAME=$(basename $0)
+SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
+# Variable initialization, to avoid crash
+status=""
+params=""

+[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
+[ -r $CIS_ROOT_DIR/lib/utils.sh     ] && . $CIS_ROOT_DIR/lib/utils.sh
+[ -r $CIS_ROOT_DIR/lib/common.sh    ] && . $CIS_ROOT_DIR/lib/common.sh
+[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
 # Source general configuration file and Specific configuration file if exist

-[ -r $ROOT_DIR/etc/hardening.cfg ] && . $ROOT_DIR/etc/hardening.cfg
-[ -r $ROOT_DIR/etc/hardening/$SCRIPT_NAME ] && . $ROOT_DIR/etc/hardening/$SCRIPT_NAME
+[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg

+logger "Working on $SCRIPT_NAME"

+if [ -z $status ]; then
+    logger "Could not find status variable for $SCRIPT_NAME, considered as disabled"
+    exit 0
+fi
+
+case $status in
+    enabled | true ) 
+        audit $params # Perform audit
+        apply $params # Perform hardening
+        ;;
+    audit )
+        audit $params # Perform audit
+        ;;
+    disabled | false )
+        logger "$SCRIPT_NAME is disabled, ignoring"
+        ;;
+    *)
+        logger "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]"
+        ;;
+esac