elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-24 06:21:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

IMP: add multiple Improvements

Browse Source 
* add new kernel module detection (enable & listing)  with detection of monolithic kernel
* change way to detect if file system type is disabled
* add global IS_CONTAINER variable
* disable test for 3.4.x to be consistent with others
* add cli options to override configuration loglevel
This commit is contained in:
jeremydenoun 2021-02-04 16:21:49 +01:00 committed by GitHub
parent ec9e2addc2
commit 0b6ea0d97e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
22 changed files with 362 additions and 165 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
MANUAL.md
View File

@ -115,6 +115,10 @@ will create a timestamped backup in this directory.
the -n option instructs sudo not to prompt for a password. the -n option instructs sudo not to prompt for a password.
Finally note that `--sudo` mode only works for audit mode. Finally note that `--sudo` mode only works for audit mode.
`--set-log-level=level`
: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
Default value is : info
`--batch` `--batch`
: While performing system audit, this option sets LOGLEVEL to 'ok' and : While performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like : captures all output to print only one line once the check is done, formatted like :

3
README.md
View File

@ -117,6 +117,9 @@ to allow a certain kind of services on the machine, such as http, mail, etc.
Can be specified multiple times to allow multiple services. Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services. Use --allow-service-list to get a list of supported services.
``--set-log-level <level>``: This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
Default value is : info
``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root, ``--create-config-files-only``: create the config files in etc/conf.d. Must be run as root,
before running the audit with user secaudit, to have the rights setup well on the conf files. before running the audit with user secaudit, to have the rights setup well on the conf files.

14
bin/hardening.sh
View File

@ -26,6 +26,7 @@ ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0 SET_HARDENING_LEVEL=0
SUDO_MODE='' SUDO_MODE=''
BATCH_MODE='' BATCH_MODE=''
ASK_LOGLEVEL=''
usage() { usage() {
cat <<EOF cat <<EOF
@ -98,6 +99,10 @@ OPTIONS:
the '-n' option instructs sudo not to prompt for a password. the '-n' option instructs sudo not to prompt for a password.
Finally note that '--sudo' mode only works for audit mode. Finally note that '--sudo' mode only works for audit mode.
--set-log-level <level>
This option sets LOGLEVEL, you can choose : info, warning, error, ok, debug.
Default value is : info
--batch --batch
While performing system audit, this option sets LOGLEVEL to 'ok' and While performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like : captures all output to print only one line once the check is done, formatted like :
@ -143,6 +148,10 @@ while [[ $# -gt 0 ]]; do
SET_HARDENING_LEVEL="$2" SET_HARDENING_LEVEL="$2"
shift shift
;; ;;
--set-log-level)
ASK_LOGLEVEL=$2
shift
;;
--only) --only)
TEST_LIST[${#TEST_LIST[@]}]="$2" TEST_LIST[${#TEST_LIST[@]}]="$2"
shift shift
@ -152,7 +161,7 @@ while [[ $# -gt 0 ]]; do
;; ;;
--batch) --batch)
BATCH_MODE='--batch' BATCH_MODE='--batch'
LOGLEVEL=ok ASK_LOGLEVEL=ok
;; ;;
-h | --help) -h | --help)
usage usage
@ -183,13 +192,12 @@ fi
[ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh [ -r "$CIS_ROOT_DIR"/lib/constants.sh ] && . "$CIS_ROOT_DIR"/lib/constants.sh
# shellcheck source=../etc/hardening.cfg # shellcheck source=../etc/hardening.cfg
[ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg [ -r "$CIS_ROOT_DIR"/etc/hardening.cfg ] && . "$CIS_ROOT_DIR"/etc/hardening.cfg
if [ "$ASK_LOGLEVEL" ]; then LOGLEVEL=$ASK_LOGLEVEL; fi
# shellcheck source=../lib/common.sh # shellcheck source=../lib/common.sh
[ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh [ -r "$CIS_ROOT_DIR"/lib/common.sh ] && . "$CIS_ROOT_DIR"/lib/common.sh
# shellcheck source=../lib/utils.sh # shellcheck source=../lib/utils.sh
[ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh [ -r "$CIS_ROOT_DIR"/lib/utils.sh ] && . "$CIS_ROOT_DIR"/lib/utils.sh
if [ "$BATCH_MODE" ]; then MACHINE_LOG_LEVEL=3; fi
# If --allow-service-list is specified, don't run anything, just list the supported services # If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ]; then if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
declare -a HARDENING_EXCEPTIONS_LIST declare -a HARDENING_EXCEPTIONS_LIST

28
bin/hardening/1.1.1.1_disable_freevxfs.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of freevxfs filesystems." DESCRIPTION="Disable mounting of freevxfs filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_VXFS_FS" KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs" MODULE_NAME="freevxfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

28
bin/hardening/1.1.1.2_disable_jffs2.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of jffs2 filesystems." DESCRIPTION="Disable mounting of jffs2 filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_JFFS2_FS" KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2" MODULE_NAME="jffs2"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

30
bin/hardening/1.1.1.3_disable_hfs.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of hfs filesystems." DESCRIPTION="Disable mounting of hfs filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_HFS_FS" KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_FILE="hfs" MODULE_NAME="hfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

30
bin/hardening/1.1.1.4_disable_hfsplus.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of hfsplus filesystems." DESCRIPTION="Disable mounting of hfsplus filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_HFSPLUS_FS" KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_FILE="hfsplus" MODULE_NAME="hfsplus"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

32
bin/hardening/1.1.1.5_disable_squashfs.sh
View File

@ -17,31 +17,37 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of squashfs filesytems." DESCRIPTION="Disable mounting of squashfs filesytems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_SQUASHFS" KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_FILE="squashfs" MODULE_NAME="squashfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
:
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required

30
bin/hardening/1.1.1.6_disable_udf.sh
View File

@ -17,28 +17,36 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of udf filesystems." DESCRIPTION="Disable mounting of udf filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_UDF_FS" KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_FILE="udf" MODULE_NAME="udf"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

1
bin/hardening/1.1.1.7_restrict_fat.sh
View File

@ -24,6 +24,7 @@ MODULE_FILE="vfat"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
# TODO check if uefi enabled if yes check if only boot partition use FAT
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"

28
bin/hardening/1.1.23_disable_usb_storage.sh
View File

@ -20,25 +20,35 @@ DESCRIPTION="Disable USB storage."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_USB_STORAGE" KERNEL_OPTION="CONFIG_USB_STORAGE"
MODULE_FILE="usb-storage" MODULE_NAME="usb-storage"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_FILE" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

26
bin/hardening/3.4.1_disable_dccp.sh
View File

@ -24,21 +24,31 @@ MODULE_NAME="dccp"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

26
bin/hardening/3.4.2_disable_sctp.sh
View File

@ -24,21 +24,31 @@ MODULE_NAME="sctp"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

26
bin/hardening/3.4.3_disable_rds.sh
View File

@ -24,21 +24,31 @@ MODULE_NAME="rds"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

26
bin/hardening/3.4.4_disable_tipc.sh
View File

@ -24,21 +24,31 @@ MODULE_NAME="tipc"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
crit "$KERNEL_OPTION is enabled!" ok "Container detected, consider host enforcing or disable this check!"
else else
ok "$KERNEL_OPTION is disabled" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" ok "Container detected, consider host enforcing!"
else else
ok "$KERNEL_OPTION is disabled, nothing to do" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
else
ok "$MODULE_NAME is disabled"
fi
fi fi
} }

5
debian/cis-hardening.8 vendored
View File

@ -127,6 +127,11 @@ Note that you need to provide a sudoers file with NOPASSWD option in
password. password.
Finally note that \f[C]--sudo\f[R] mode only works for audit mode. Finally note that \f[C]--sudo\f[R] mode only works for audit mode.
.TP .TP
.B \f[C]--set-log-level=level\f[R]
This option sets LOGLEVEL, you can choose : info, warning, error, ok,
debug.
Default value is : info
.TP
.B \f[C]--batch\f[R] .B \f[C]--batch\f[R]
While performing system audit, this option sets LOGLEVEL to `ok' and While performing system audit, this option sets LOGLEVEL to `ok' and
captures all output to print only one line once the check is done, captures all output to print only one line once the check is done,

27
lib/common.sh
View File

@ -113,11 +113,36 @@ sudo_wrapper() {
fi fi
} }
#
# detect if container based on cgroup detection
#
is_running_in_container() {
awk -F/ '$2 == "'"$1"'"' /proc/self/cgroup
}
CONTAINER_TYPE=""
IS_CONTAINER=0
if [ "$(is_running_in_container "docker")" != "" ]; then
CONTAINER_TYPE="docker"
IS_CONTAINER=1
fi
if [ "$(is_running_in_container "lxc")" != "" ]; then
CONTAINER_TYPE="lxc"
IS_CONTAINER=1
fi
if [ "$(is_running_in_container "kubepods")" != "" ]; then
# shellcheck disable=SC2034
CONTAINER_TYPE="kubepods"
# shellcheck disable=SC2034
IS_CONTAINER=1
fi
# #
# Math functions # Math functions
# #
function div() { div() {
local _d=${3:-2} local _d=${3:-2}
local _n=0000000000 local _n=0000000000
_n=${_n:0:$_d} _n=${_n:0:$_d}

107
lib/utils.sh
View File

@ -295,51 +295,90 @@ is_service_enabled() {
is_kernel_option_enabled() { is_kernel_option_enabled() {
local KERNEL_OPTION="$1" local KERNEL_OPTION="$1"
local MODULE_NAME="" local MODULE_NAME=""
local MODPROBE_FILTER=""
local RESULT="" local RESULT=""
local IS_MONOLITHIC_KERNEL=1
local DEF_MODULE=""
if [ $# -ge 2 ]; then if [ $# -ge 2 ]; then
MODULE_NAME="$2" MODULE_NAME="$2"
fi fi
if $SUDO_CMD [ -r "/proc/config.gz" ]; then if [ $# -ge 3 ]; then
RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || : MODPROBE_FILTER="$3"
elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ]; then
RESULT=$($SUDO_CMD grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || :
else
debug "No information about kernel found, you're probably in a container"
FNRET=127
return
fi fi
ANSWER=$(cut -d = -f 2 <<<"$RESULT") debug "Detect if lsmod is available and does not return an error code (otherwise consider as a monolithic kernel"
if [ "x$ANSWER" = "xy" ]; then if $SUDO_CMD lsmod >/dev/null 2>&1; then
debug "Kernel option $KERNEL_OPTION enabled" IS_MONOLITHIC_KERNEL=0
FNRET=0
elif [ "x$ANSWER" = "xn" ]; then
debug "Kernel option $KERNEL_OPTION disabled"
FNRET=1
else
debug "Kernel option $KERNEL_OPTION not found"
FNRET=2 # Not found
fi fi
if $SUDO_CMD [ "$FNRET" -ne 0 ] && [ -n "$MODULE_NAME" ] && [ -d "/lib/modules/$(uname -r)" ]; then if [ $IS_MONOLITHIC_KERNEL -eq 1 ]; then
# also check in modules, because even if not =y, maybe if $SUDO_CMD [ -r "/proc/config.gz" ]; then
# the admin compiled it separately later (or out-of-tree) RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || :
# as a module (regardless of the fact that we have =m or not) elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ]; then
debug "Checking if we have $MODULE_NAME.ko" RESULT=$($SUDO_CMD grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || :
local modulefile else
modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko") debug "No information about kernel found, you're probably in a container"
if $SUDO_CMD [ -n "$modulefile" ]; then FNRET=127
debug "We do have $modulefile!" return
# ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz" fi
if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/; then
debug "... but it's blacklisted!" ANSWER=$(cut -d = -f 2 <<<"$RESULT")
FNRET=1 # Not found (found but blacklisted) if [ "x$ANSWER" = "xy" ]; then
# FIXME: even if blacklisted, it might be present in the initrd and debug "Kernel option $KERNEL_OPTION enabled"
# be insmod from there... but painful to check :/ maybe lsmod would be enough ? FNRET=0
elif [ "x$ANSWER" = "xn" ]; then
debug "Kernel option $KERNEL_OPTION disabled"
FNRET=1
else
debug "Kernel option $KERNEL_OPTION not found"
FNRET=2 # Not found
fi
if $SUDO_CMD [ "$FNRET" -ne 0 ] && [ -n "$MODULE_NAME" ] && [ -d "/lib/modules/$(uname -r)" ]; then
# also check in modules, because even if not =y, maybe
# the admin compiled it separately later (or out-of-tree)
# as a module (regardless of the fact that we have =m or not)
debug "Checking if we have $MODULE_NAME.ko"
local modulefile
modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
if $SUDO_CMD [ -n "$modulefile" ]; then
debug "We do have $modulefile!"
# ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/*.conf; then
debug "... but it's blacklisted!"
FNRET=1 # Not found (found but blacklisted)
fi
# ... but wait, maybe it's override ? check files in /etc/modprobe.d/ for "install xyz /bin/(true|false)"
if grep -aRE "^\s*install\s+$MODULE_NAME\s+/bin/(true|false)\s*$" /etc/modprobe.d/*.conf; then
debug "... but it's override!"
FNRET=1 # Not found (found but override)
fi
FNRET=0 # Found!
fi fi
FNRET=0 # Found! fi
else
if [ "$FILTER" != "" ]; then
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | xargs)"
else
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | xargs)"
fi
if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then
debug "$MODULE_NAME is disabled (blacklist with override)"
FNRET=1
elif [ "$DEF_MODULE" == "" ]; then
debug "$MODULE_NAME is disabled"
FNRET=1
else
debug "$MODULE_NAME is enabled"
FNRET=0
fi
if [ "$($SUDO_CMD lsmod | grep -E "$MODULE_NAME" 2>/dev/null)" != "" ]; then
debug "$MODULE_NAME is enabled"
FNRET=0
fi fi
fi fi
} }

14
tests/hardening/3.4.1_disable_dccp.sh
View File

@ -1,11 +1,15 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running on blank host if [ -f "/.dockerenv" ]; then
register_test retvalshouldbe 0 skip "SKIPPED on docker"
dismiss_count_for_test else
# shellcheck disable=2154 describe Running on blank host
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
################################################################## ##################################################################
# For this test, we only check that it runs properly on a blank # # For this test, we only check that it runs properly on a blank #

14
tests/hardening/3.4.2_disable_sctp.sh
View File

@ -1,11 +1,15 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running on blank host if [ -f "/.dockerenv" ]; then
register_test retvalshouldbe 0 skip "SKIPPED on docker"
dismiss_count_for_test else
# shellcheck disable=2154 describe Running on blank host
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
################################################################## ##################################################################
# For this test, we only check that it runs properly on a blank # # For this test, we only check that it runs properly on a blank #

14
tests/hardening/3.4.3_disable_rds.sh
View File

@ -1,11 +1,15 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running on blank host if [ -f "/.dockerenv" ]; then
register_test retvalshouldbe 0 skip "SKIPPED on docker"
dismiss_count_for_test else
# shellcheck disable=2154 describe Running on blank host
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
################################################################## ##################################################################
# For this test, we only check that it runs properly on a blank # # For this test, we only check that it runs properly on a blank #

14
tests/hardening/3.4.4_disable_tipc.sh
View File

@ -1,11 +1,15 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running on blank host if [ -f "/.dockerenv" ]; then
register_test retvalshouldbe 0 skip "SKIPPED on docker"
dismiss_count_for_test else
# shellcheck disable=2154 describe Running on blank host
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
################################################################## ##################################################################
# For this test, we only check that it runs properly on a blank # # For this test, we only check that it runs properly on a blank #