From 0ce0b23dc8c59cfe04f232d9c3edf47b575d278b Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 14 Apr 2016 14:07:00 +0200 Subject: [PATCH] 8.1.4_record_date_time_edit.sh 8.1.5_record_user_group_edit.sh --- bin/hardening/8.1.4_record_date_time_edit.sh | 69 +++++++++++++++++++ bin/hardening/8.1.5_record_user_group_edit.sh | 69 +++++++++++++++++++ etc/conf.d/8.1.4_record_date_time_edit.cfg | 2 + etc/conf.d/8.1.5_record_user_group_edit.cfg | 2 + lib/utils.sh | 3 +- 5 files changed, 144 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/8.1.4_record_date_time_edit.sh create mode 100755 bin/hardening/8.1.5_record_user_group_edit.sh create mode 100644 etc/conf.d/8.1.4_record_date_time_edit.cfg create mode 100644 etc/conf.d/8.1.5_record_user_group_edit.cfg diff --git a/bin/hardening/8.1.4_record_date_time_edit.sh b/bin/hardening/8.1.4_record_date_time_edit.sh new file mode 100755 index 0000000..f1ac82b --- /dev/null +++ b/bin/hardening/8.1.4_record_date_time_edit.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.4 Record Events That Modify Date and Time Information (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.5_record_user_group_edit.sh b/bin/hardening/8.1.5_record_user_group_edit.sh new file mode 100755 index 0000000..e181316 --- /dev/null +++ b/bin/hardening/8.1.5_record_user_group_edit.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.5 Record Events That Modify User/Group Information (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/8.1.4_record_date_time_edit.cfg b/etc/conf.d/8.1.4_record_date_time_edit.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.4_record_date_time_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.5_record_user_group_edit.cfg b/etc/conf.d/8.1.5_record_user_group_edit.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.5_record_user_group_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index 6308adb..50f965d 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -111,7 +111,8 @@ does_pattern_exists_in_file() { local PATTERN=$2 debug "Checking if $PATTERN is present in $FILE" - if $(grep -qE "$PATTERN" $FILE); then + debug "grep -qE -- '$PATTERN' $FILE" + if $(grep -qE -- "$PATTERN" $FILE); then FNRET=0 else FNRET=1