From 0ca73899d33d798aded06820248eadee7df706e7 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Mon, 4 Jan 2021 10:10:47 +0100 Subject: [PATCH] ADD(4.2.2.x): add journald checks --- bin/hardening/4.2.2.1_journald_logs.sh | 50 ++++++++++++++++++- bin/hardening/4.2.2.2_journald_compress.sh | 50 ++++++++++++++++++- .../4.2.2.3_journald_write_persistent.sh | 50 ++++++++++++++++++- tests/hardening/4.2.2.1_journald_logs.sh | 18 ++++++- tests/hardening/4.2.2.2_journald_compress.sh | 18 ++++++- .../4.2.2.3_journald_write_persistent.sh | 18 ++++++- 6 files changed, 195 insertions(+), 9 deletions(-) diff --git a/bin/hardening/4.2.2.1_journald_logs.sh b/bin/hardening/4.2.2.1_journald_logs.sh index 95916d5..4e47970 100755 --- a/bin/hardening/4.2.2.1_journald_logs.sh +++ b/bin/hardening/4.2.2.1_journald_logs.sh @@ -17,14 +17,60 @@ HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Configure journald to send logs to syslog-ng." +FILE='/etc/systemd/journald.conf' +OPTIONS='ForwardToSyslog=yes' + # This function will be called if the script status is on enabled / audit mode audit() { - : + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exists, checking configuration" + for JOURNALD_OPTION in $OPTIONS; do + JOURNALD_PARAM=$(echo "$JOURNALD_OPTION" | cut -d= -f 1) + JOURNALD_VALUE=$(echo "$JOURNALD_OPTION" | cut -d= -f 2) + PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE" + debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE" + does_pattern_exist_in_file "$FILE" "$PATTERN" + if [ "$FNRET" != 0 ]; then + crit "$PATTERN is not present in $FILE" + else + ok "$PATTERN is present in $FILE" + fi + done + fi } # This function will be called if the script status is on enabled mode apply() { - : + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + warn "$FILE does not exist, creating it" + touch "$FILE" + else + ok "$FILE exists" + fi + for JOURNALD_OPTION in $OPTIONS; do + JOURNALD_PARAM=$(echo "$JOURNALD_OPTION" | cut -d= -f 1) + JOURNALD_VALUE=$(echo "$JOURNALD_OPTION" | cut -d= -f 2) + debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE" + PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE" + does_pattern_exist_in_file "$FILE" "$PATTERN" + if [ "$FNRET" != 0 ]; then + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM" + if [ "$FNRET" != 0 ]; then + info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end" + add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE" + else + info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing" + replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE" + fi + else + ok "$PATTERN is present in $FILE" + fi + done } # This function will check config parameters required diff --git a/bin/hardening/4.2.2.2_journald_compress.sh b/bin/hardening/4.2.2.2_journald_compress.sh index e02d8be..324f592 100755 --- a/bin/hardening/4.2.2.2_journald_compress.sh +++ b/bin/hardening/4.2.2.2_journald_compress.sh @@ -17,14 +17,60 @@ HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Configure journald to send logs to syslog-ng." +FILE='/etc/systemd/journald.conf' +OPTIONS='Compress=yes' + # This function will be called if the script status is on enabled / audit mode audit() { - : + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exists, checking configuration" + for JOURNALD_OPTION in $OPTIONS; do + JOURNALD_PARAM=$(echo "$JOURNALD_OPTION" | cut -d= -f 1) + JOURNALD_VALUE=$(echo "$JOURNALD_OPTION" | cut -d= -f 2) + PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE" + debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE" + does_pattern_exist_in_file "$FILE" "$PATTERN" + if [ "$FNRET" != 0 ]; then + crit "$PATTERN is not present in $FILE" + else + ok "$PATTERN is present in $FILE" + fi + done + fi } # This function will be called if the script status is on enabled mode apply() { - : + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + warn "$FILE does not exist, creating it" + touch "$FILE" + else + ok "$FILE exists" + fi + for JOURNALD_OPTION in $OPTIONS; do + JOURNALD_PARAM=$(echo "$JOURNALD_OPTION" | cut -d= -f 1) + JOURNALD_VALUE=$(echo "$JOURNALD_OPTION" | cut -d= -f 2) + debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE" + PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE" + does_pattern_exist_in_file "$FILE" "$PATTERN" + if [ "$FNRET" != 0 ]; then + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM" + if [ "$FNRET" != 0 ]; then + info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end" + add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE" + else + info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing" + replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE" + fi + else + ok "$PATTERN is present in $FILE" + fi + done } # This function will check config parameters required diff --git a/bin/hardening/4.2.2.3_journald_write_persistent.sh b/bin/hardening/4.2.2.3_journald_write_persistent.sh index b1ef893..6eb43ff 100755 --- a/bin/hardening/4.2.2.3_journald_write_persistent.sh +++ b/bin/hardening/4.2.2.3_journald_write_persistent.sh @@ -17,14 +17,60 @@ HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Configure journald to write to a persistent location." +FILE='/etc/systemd/journald.conf' +OPTIONS='Storage=persistent' + # This function will be called if the script status is on enabled / audit mode audit() { - : + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exists, checking configuration" + for JOURNALD_OPTION in $OPTIONS; do + JOURNALD_PARAM=$(echo "$JOURNALD_OPTION" | cut -d= -f 1) + JOURNALD_VALUE=$(echo "$JOURNALD_OPTION" | cut -d= -f 2) + PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE" + debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE" + does_pattern_exist_in_file "$FILE" "$PATTERN" + if [ "$FNRET" != 0 ]; then + crit "$PATTERN is not present in $FILE" + else + ok "$PATTERN is present in $FILE" + fi + done + fi } # This function will be called if the script status is on enabled mode apply() { - : + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + warn "$FILE does not exist, creating it" + touch "$FILE" + else + ok "$FILE exists" + fi + for JOURNALD_OPTION in $OPTIONS; do + JOURNALD_PARAM=$(echo "$JOURNALD_OPTION" | cut -d= -f 1) + JOURNALD_VALUE=$(echo "$JOURNALD_OPTION" | cut -d= -f 2) + debug "$JOURNALD_PARAM should be set to $JOURNALD_VALUE" + PATTERN="^$JOURNALD_PARAM=$JOURNALD_VALUE" + does_pattern_exist_in_file "$FILE" "$PATTERN" + if [ "$FNRET" != 0 ]; then + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file "$FILE" "^$JOURNALD_PARAM" + if [ "$FNRET" != 0 ]; then + info "Parameter $JOURNALD_PARAM seems absent from $FILE, adding at the end" + add_end_of_file "$FILE" "$JOURNALD_PARAM = $JOURNALD_VALUE" + else + info "Parameter $JOURNALD_PARAM is present but with the wrong value -- Fixing" + replace_in_file "$FILE" "^$JOURNALD_PARAM=.*" "$JOURNALD_PARAM=$JOURNALD_VALUE" + fi + else + ok "$PATTERN is present in $FILE" + fi + done } # This function will check config parameters required diff --git a/tests/hardening/4.2.2.1_journald_logs.sh b/tests/hardening/4.2.2.1_journald_logs.sh index f85b20d..b757c05 100644 --- a/tests/hardening/4.2.2.1_journald_logs.sh +++ b/tests/hardening/4.2.2.1_journald_logs.sh @@ -7,5 +7,21 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + local FILE="/etc/systemd/journald.conf" + + describe Tests purposely failing + echo "ForwardToSyslog=no" >>"$FILE" + register_test retvalshouldbe 1 + register_test contain "$FILE exists, checking configuration" + register_test contain "is not present in $FILE" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "is present in $FILE" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.2.2.2_journald_compress.sh b/tests/hardening/4.2.2.2_journald_compress.sh index f85b20d..fd8c992 100644 --- a/tests/hardening/4.2.2.2_journald_compress.sh +++ b/tests/hardening/4.2.2.2_journald_compress.sh @@ -7,5 +7,21 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + local FILE="/etc/systemd/journald.conf" + + describe Tests purposely failing + echo "Compress=no" >>"$FILE" + register_test retvalshouldbe 1 + register_test contain "$FILE exists, checking configuration" + register_test contain "is not present in $FILE" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "is present in $FILE" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.2.2.3_journald_write_persistent.sh b/tests/hardening/4.2.2.3_journald_write_persistent.sh index f85b20d..7c5a1c9 100644 --- a/tests/hardening/4.2.2.3_journald_write_persistent.sh +++ b/tests/hardening/4.2.2.3_journald_write_persistent.sh @@ -7,5 +7,21 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + local FILE="/etc/systemd/journald.conf" + + describe Tests purposely failing + echo "Storage=none" >>"$FILE" + register_test retvalshouldbe 1 + register_test contain "$FILE exists, checking configuration" + register_test contain "is not present in $FILE" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "is present in $FILE" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all }