diff --git a/bin/hardening/2.2_tmp_nodev.sh b/bin/hardening/2.2_tmp_nodev.sh new file mode 100755 index 0000000..6b34d0f --- /dev/null +++ b/bin/hardening/2.2_tmp_nodev.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.2 Set nodev option for /tmp Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/tmp" +OPTION="nodev" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/2.2_tmp_nodev.cfg b/etc/conf.d/2.2_tmp_nodev.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.2_tmp_nodev.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/hardening.cfg b/etc/hardening.cfg index 0d0c454..2668c89 100644 --- a/etc/hardening.cfg +++ b/etc/hardening.cfg @@ -3,3 +3,7 @@ # Valid values are debug info warning error LOGLEVEL=debug + +# Backup directory, every file touched by hardennign will be backuped here, with versionning +# Means that if a file is modified more than once during the process, you will have hardening step diffs in the folder +BACKUPDIR="$CIS_ROOT_DIR/tmp/backups" diff --git a/lib/common.sh b/lib/common.sh index cadf77e..573474c 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -1,6 +1,26 @@ # CIS Debian 7 Hardening common functions +# +# File Backup functions +# +backup_file() { + FILE=$1 + if [ ! -f $FILE ]; then + crit "Cannot backup $FILE, it's not a file" + FNRET=1 + else + TARGET=$(echo $FILE | sed -s 's/\//./g' | sed -s 's/^.//' | sed -s "s/$/.$(date +%F-%T)/" ) + TARGET="$BACKUPDIR/$TARGET" + debug "Backuping $FILE to $TARGET" + cp -a $FILE $TARGET + FNRET=0 + fi +} + + +# # Logging functions +# case $LOGLEVEL in error ) diff --git a/lib/constants.sh b/lib/constants.sh index 682a71d..dc98747 100644 --- a/lib/constants.sh +++ b/lib/constants.sh @@ -1,23 +1,9 @@ # Defines constants for CIS Debian 7 Hardening -# +# Script and shell commands homogeneity +export LANG=C - - - - - - - - - - - - - - - -#### Useful Colot constants settings for loglevels +#### Useful Color constants settings for loglevels # Reset Color (for syslog) NC='\033[0m' diff --git a/lib/utils.sh b/lib/utils.sh index 414eaa4..5a2e081 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -2,40 +2,85 @@ -# -# Return if a package is installed -# @param $1 package name -# -is_installed() -{ - PKG_NAME=$1 - if `dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install '` ; then - return 0 - fi - return 1 -} +# +# Mounting point manipulation +# + +# Verify $1 is a partition declared in fstab is_a_partition() { local PARTITION_NAME=$1 FNRET=128 if $(grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"); then + debug "$PARTITION found in fstab" FNRET=0 else + debug "Unable to find $PARTITION in fstab" FNRET=1 fi } +# Verify that $1 is mounted at runtime is_mounted() { local PARTITION_NAME=$1 if $(grep -q "[[:space:]]$1[[:space:]]" /proc/mounts); then + debug "$PARTITION found in /proc/mounts, it's mounted" FNRET=0 else + debug "Unable to find $PARTITION in /proc/mounts" FNRET=1 fi } -# contains helper functions to work with apt +# Verify $1 has the proper option $2 in fstab +has_mount_option() { + local PARTITION=$1 + local OPTION=$2 + if $(grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $4'} | grep -q "$2"); then + debug "$OPTION has been detected in fstab for partition $PARTITION" + FNRET=0 + else + debug "Unable to find $OPTION in fstab for partition $PARTITION" + FNRET=1 + fi +} + +# Verify $1 has the proper option $2 at runtime +has_mounted_option() { + local PARTITION=$1 + local OPTION=$2 + if $(grep "[[:space:]]$1[[:space:]]" /proc/mounts | awk {'print $4'} | grep -q "$2"); then + debug "$OPTION has been detected in /proc/mounts for partition $PARTITION" + FNRET=0 + else + debug "Unable to find $OPTION in /proc/mounts for partition $PARTITION" + FNRET=1 + fi +} + +# Setup mount option in fstab +add_option_to_fstab() { + local PARTITION=$1 + local OPTION=$2 + debug "Setting $OPTION for $PARTITION in fstab" + backup_file "/etc/fstab" + # For example : + # /dev/sda9 /home ext4 auto,acl,errors=remount-ro 0 2 + # /dev/sda9 /home ext4 auto,acl,errors=remount-ro,nodev 0 2 + debug "Sed command : sed -ie \"s;\(.*\)\(\s*\)\s\($PARTITION\)\s\(\s*\)\(\w*\)\(\s*\)\(\w*\)*;\1\2 \3 \4\5\6\7,$OPTION;\" /etc/fstab" + sed -ie "s;\(.*\)\(\s*\)\s\($PARTITION\)\s\(\s*\)\(\w*\)\(\s*\)\(\w*\)*;\1\2 \3 \4\5\6\7,$OPTION;" /etc/fstab +} + +remount_partition() { + local PARTITION=$1 + debug "Remounting $PARTITION" + mount -o remount $PARTITION +} + +# +# Helper functions to work with apt +# apt_update_if_needed() { @@ -57,7 +102,7 @@ apt_check_updates() { local NAME="$1" local DETAILS="/dev/shm/${NAME}" - LANGUAGE=C apt-get upgrade -s 2>/dev/null | grep -E "^Inst" > $DETAILS || : + apt-get upgrade -s 2>/dev/null | grep -E "^Inst" > $DETAILS || : local COUNT=$(wc -l < "$DETAILS") FNRET=128 # Unknown function return result RESULT="" # Result output for upgrade @@ -70,3 +115,16 @@ apt_check_updates() fi rm $DETAILS } + +# +# Returns if a package is installed +# + +is_installed() +{ + PKG_NAME=$1 + if `dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install '` ; then + FNRET=0 + fi + FNRET=1 +} diff --git a/tmp/backups/.gitignore b/tmp/backups/.gitignore new file mode 100644 index 0000000..6b1ce3f --- /dev/null +++ b/tmp/backups/.gitignore @@ -0,0 +1,2 @@ +# Ignore everything, this is a place holder for the git +*