elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-24 14:31:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

IMP: add multiple Improvements

Browse Source 
* add new kernel module detection (enable & listing)  with detection of monolithic kernel
* change way to detect if file system type is disabled
* add global IS_CONTAINER variable
* disable test for 3.4.x to be consistent with others
* add cli options to override configuration loglevel
This commit is contained in:
jeremydenoun 2021-02-04 16:21:49 +01:00 committed by GitHub
parent ec9e2addc2
commit 0b6ea0d97e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
22 changed files with 362 additions and 165 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
MANUAL.md
View File

@ -115,6 +115,10 @@ will create a timestamped backup in this directory.
the -n option instructs sudo not to prompt for a password. the -n option instructs sudo not to prompt for a password.
Finally note that `--sudo` mode only works for audit mode. Finally note that `--sudo` mode only works for audit mode.
`--set-log-level=level`
: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
Default value is : info
`--batch` `--batch`
: While performing system audit, this option sets LOGLEVEL to 'ok' and : While performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like : captures all output to print only one line once the check is done, formatted like :

3
README.md
View File

@ -117,6 +117,9 @@ to allow a certain kind of services on the machine, such as http, mail, etc.
Can be specified multiple times to allow multiple services. Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services. Use --allow-service-list to get a list of supported services.
``--set-log-level <level>``: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
Default value is : info
``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root, ``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
before running the audit with user secaudit, to have the rights setup well on the conf files. before running the audit with user secaudit, to have the rights setup well on the conf files.

14
bin/hardening.sh
View File

@ -26,6 +26,7 @@ ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0 SET_HARDENING_LEVEL=0
SUDO_MODE='' SUDO_MODE=''
BATCH_MODE='' BATCH_MODE=''
ASK_LOGLEVEL=''
usage() { usage() {
cat <<EOF cat <<EOF
@ -98,6 +99,10 @@ OPTIONS:
the '-n' option instructs sudo not to prompt for a password. the '-n' option instructs sudo not to prompt for a password.
Finally note that '--sudo' mode only works for audit mode. Finally note that '--sudo' mode only works for audit mode.
--set-log-level <level>
This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
Default value is : info
--batch --batch
While performing system audit, this option sets LOGLEVEL to 'ok' and While performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like : captures all output to print only one line once the check is done, formatted like :
@ -143,6 +148,10 @@ while [[ $# -gt 0 ]]; do
SET_HARDENING_LEVEL="$2" SET_HARDENING_LEVEL="$2"
shift shift
;; ;;
--set-log-level)
ASK_LOGLEVEL=$2
shift
;;
--only) --only)
TEST_LIST[${#TEST_LIST[@]}]="$2" TEST_LIST[${#TEST_LIST[@]}]="$2"
shift shift
@ -152,7 +161,7 @@ while [[ $# -gt 0 ]]; do
;; ;;
--batch) --batch)
BATCH_MODE='--batch' BATCH_MODE='--batch'
LOGLEVEL=ok ASK_LOGLEVEL=ok
;; ;;
-h | --help) -h | --help)
usage usage
@ -183,13 +192,12 @@ fi
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh [ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
# shellcheck source=../etc/hardening.cfg # shellcheck source=../etc/hardening.cfg
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
# shellcheck source=../lib/common.sh # shellcheck source=../lib/common.sh
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
# shellcheck source=../lib/utils.sh # shellcheck source=../lib/utils.sh
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh [ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi
# If --allow-service-list is specified, don't run anything, just list the supported services # If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ]; then if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
declare -a HARDENING_EXCEPTIONS_LIST declare -a HARDENING_EXCEPTIONS_LIST

24
bin/hardening/1.1.1.1_disable_freevxfs.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of freevxfs filesystems." DESCRIPTION="Disable mounting of freevxfs filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_VXFS_FS" KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs" MODULE_NAME="freevxfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$MODULE_NAME is enabled!"
else else
ok "$KERNEL_OPTION is disabled" ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

28
bin/hardening/1.1.1.2_disable_jffs2.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of jffs2 filesystems." DESCRIPTION="Disable mounting of jffs2 filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_JFFS2_FS" KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2" MODULE_NAME="jffs2"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

30
bin/hardening/1.1.1.3_disable_hfs.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of hfs filesystems." DESCRIPTION="Disable mounting of hfs filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_HFS_FS" KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_FILE="hfs" MODULE_NAME="hfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

30
bin/hardening/1.1.1.4_disable_hfsplus.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of hfsplus filesystems." DESCRIPTION="Disable mounting of hfsplus filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_HFSPLUS_FS" KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_FILE="hfsplus" MODULE_NAME="hfsplus"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

32
bin/hardening/1.1.1.5_disable_squashfs.sh
View File

@ -17,31 +17,37 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of squashfs filesytems." DESCRIPTION="Disable mounting of squashfs filesytems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_SQUASHFS" KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_FILE="squashfs" MODULE_NAME="squashfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
:
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required

30
bin/hardening/1.1.1.6_disable_udf.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of udf filesystems." DESCRIPTION="Disable mounting of udf filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_UDF_FS" KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_FILE="udf" MODULE_NAME="udf"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

1
bin/hardening/1.1.1.7_restrict_fat.sh
View File

@ -24,6 +24,7 @@ MODULE_FILE="vfat"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
# TODO check if uefi enabled if yes check if only boot partition use FAT
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"

28
bin/hardening/1.1.23_disable_usb_storage.sh
View File

@ -20,25 +20,35 @@ DESCRIPTION="Disable USB storage."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_USB_STORAGE" KERNEL_OPTION="CONFIG_USB_STORAGE"
MODULE_FILE="usb-storage" MODULE_NAME="usb-storage"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

22
bin/hardening/3.4.1_disable_dccp.sh
View File

@ -24,21 +24,31 @@ MODULE_NAME="dccp"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$MODULE_NAME is enabled!"
else else
ok "$KERNEL_OPTION is disabled" ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

22
bin/hardening/3.4.2_disable_sctp.sh
View File

@ -24,21 +24,31 @@ MODULE_NAME="sctp"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$MODULE_NAME is enabled!"
else else
ok "$KERNEL_OPTION is disabled" ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

22
bin/hardening/3.4.3_disable_rds.sh
View File

@ -24,21 +24,31 @@ MODULE_NAME="rds"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
if [ "$IS_CONTAINER" -eq 1 ]; then
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!"
else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$MODULE_NAME is enabled!"
else else
ok "$KERNEL_OPTION is disabled" ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

26
bin/hardening/3.4.4_disable_tipc.sh
View File

@ -24,21 +24,31 @@ MODULE_NAME="tipc"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

5
debian/cis-hardening.8 vendored
View File

@ -127,6 +127,11 @@ Note that you need to provide a sudoers file with NOPASSWD option in
password. password.
Finally note that \f[C]--sudo\f[R] mode only works for audit mode. Finally note that \f[C]--sudo\f[R] mode only works for audit mode.
.TP .TP
.B \f[C]--set-log-level=level\f[R]
This option sets LOGLEVEL, you can choose : info, warning, error, ok,
debug.
Default value is : info
.TP
.B \f[C]--batch\f[R] .B \f[C]--batch\f[R]
While performing system audit, this option sets LOGLEVEL to `ok' and While performing system audit, this option sets LOGLEVEL to `ok' and
captures all output to print only one line once the check is done, captures all output to print only one line once the check is done,

27
lib/common.sh
View File

@ -113,11 +113,36 @@ sudo_wrapper() {
fi fi
} }
#
# detect if container based on cgroup detection
#
is_running_in_container() {
awk -F/ '$2 == "'"$1"'"' /proc/self/cgroup
}
CONTAINER_TYPE=""
IS_CONTAINER=0
if [ "$(is_running_in_container "docker")" != "" ]; then
CONTAINER_TYPE="docker"
IS_CONTAINER=1
fi
if [ "$(is_running_in_container "lxc")" != "" ]; then
CONTAINER_TYPE="lxc"
IS_CONTAINER=1
fi
if [ "$(is_running_in_container "kubepods")" != "" ]; then
# shellcheck disable=SC2034
CONTAINER_TYPE="kubepods"
# shellcheck disable=SC2034
IS_CONTAINER=1
fi
# #
# Math functions # Math functions
# #
function div() { div() {
local _d=${3:-2} local _d=${3:-2}
local _n=0000000000 local _n=0000000000
_n=${_n:0:$_d} _n=${_n:0:$_d}

45
lib/utils.sh
View File

@ -295,12 +295,25 @@ is_service_enabled() {
is_kernel_option_enabled() { is_kernel_option_enabled() {
local KERNEL_OPTION="$1" local KERNEL_OPTION="$1"
local MODULE_NAME="" local MODULE_NAME=""
local MODPROBE_FILTER=""
local RESULT="" local RESULT=""
local IS_MONOLITHIC_KERNEL=1
local DEF_MODULE=""
if [ $# -ge 2 ]; then if [ $# -ge 2 ]; then
MODULE_NAME="$2" MODULE_NAME="$2"
fi fi
if [ $# -ge 3 ]; then
MODPROBE_FILTER="$3"
fi
debug "Detect if lsmod is available and does not return an error code (otherwise consider as a monolithic kernel"
if $SUDO_CMD lsmod >/dev/null 2>&1; then
IS_MONOLITHIC_KERNEL=0
fi
if [ $IS_MONOLITHIC_KERNEL -eq 1 ]; then
if $SUDO_CMD [ -r "/proc/config.gz" ]; then if $SUDO_CMD [ -r "/proc/config.gz" ]; then
RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || : RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || :
elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ]; then elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ]; then
@ -333,15 +346,41 @@ is_kernel_option_enabled() {
if $SUDO_CMD [ -n "$modulefile" ]; then if $SUDO_CMD [ -n "$modulefile" ]; then
debug "We do have $modulefile!" debug "We do have $modulefile!"
# ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz" # ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/; then if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/*.conf; then
debug "... but it's blacklisted!" debug "... but it's blacklisted!"
FNRET=1 # Not found (found but blacklisted) FNRET=1 # Not found (found but blacklisted)
# FIXME: even if blacklisted, it might be present in the initrd and fi
# be insmod from there... but painful to check :/ maybe lsmod would be enough ? # ... but wait, maybe it's override ? check files in /etc/modprobe.d/ for "install xyz /bin/(true|false)"
if grep -aRE "^\s*install\s+$MODULE_NAME\s+/bin/(true|false)\s*$" /etc/modprobe.d/*.conf; then
debug "... but it's override!"
FNRET=1 # Not found (found but override)
fi fi
FNRET=0 # Found! FNRET=0 # Found!
fi fi
fi fi
else
if [ "$FILTER" != "" ]; then
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | xargs)"
else
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | xargs)"
fi
if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then
debug "$MODULE_NAME is disabled (blacklist with override)"
FNRET=1
elif [ "$DEF_MODULE" == "" ]; then
debug "$MODULE_NAME is disabled"
FNRET=1
else
debug "$MODULE_NAME is enabled"
FNRET=0
fi
if [ "$($SUDO_CMD lsmod | grep -E "$MODULE_NAME" 2>/dev/null)" != "" ]; then
debug "$MODULE_NAME is enabled"
FNRET=0
fi
fi
} }
# #

4
tests/hardening/3.4.1_disable_dccp.sh
View File

@ -1,11 +1,15 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
dismiss_count_for_test dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
################################################################## ##################################################################
# For this test, we only check that it runs properly on a blank # # For this test, we only check that it runs properly on a blank #

4
tests/hardening/3.4.2_disable_sctp.sh
View File

@ -1,11 +1,15 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
dismiss_count_for_test dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
################################################################## ##################################################################
# For this test, we only check that it runs properly on a blank # # For this test, we only check that it runs properly on a blank #

4
tests/hardening/3.4.3_disable_rds.sh
View File

@ -1,11 +1,15 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
dismiss_count_for_test dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
################################################################## ##################################################################
# For this test, we only check that it runs properly on a blank # # For this test, we only check that it runs properly on a blank #

4
tests/hardening/3.4.4_disable_tipc.sh
View File

@ -1,11 +1,15 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
dismiss_count_for_test dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
################################################################## ##################################################################
# For this test, we only check that it runs properly on a blank # # For this test, we only check that it runs properly on a blank #