From 127d3e912462f22603147708d9a545dd08b1a4e9 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 14 Apr 2016 13:11:56 +0200 Subject: [PATCH] 8.1.1.3_keep_all_audit_logs.sh 8.1.3_audit_bootloader.sh --- .../8.1.1.2_halt_when_audit_log_full.sh | 2 +- bin/hardening/8.1.1.3_keep_all_audit_logs.sh | 88 +++++++++++++++++++ bin/hardening/8.1.3_audit_bootloader.sh | 88 +++++++++++++++++++ etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg | 2 + etc/conf.d/8.1.3_audit_bootloader.cfg | 2 + lib/utils.sh | 2 + 6 files changed, 183 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/8.1.1.3_keep_all_audit_logs.sh create mode 100755 bin/hardening/8.1.3_audit_bootloader.sh create mode 100644 etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg create mode 100644 etc/conf.d/8.1.3_audit_bootloader.cfg diff --git a/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh index 899fd92..df21b6f 100755 --- a/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh +++ b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh @@ -56,7 +56,7 @@ apply () { warn "$PATTERN not present in $FILE, adding it" does_pattern_exists_in_file $FILE "^$AUDIT_PARAM" if [ $FNRET != 0 ]; then - info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" + info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" else info "Parameter $AUDIT_PARAM is present but with the wrong value, correcting" diff --git a/bin/hardening/8.1.1.3_keep_all_audit_logs.sh b/bin/hardening/8.1.1.3_keep_all_audit_logs.sh new file mode 100755 index 0000000..c83a005 --- /dev/null +++ b/bin/hardening/8.1.1.3_keep_all_audit_logs.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.1.3 Keep All Auditing Information (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/audit/auditd.conf' +OPTIONS='max_log_file_action=keep_logs' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist, checking configuration" + for AUDIT_OPTION in $OPTIONS; do + AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) + AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + debug "$AUDIT_PARAM must have value $AUDIT_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE" + else + ok "$PATTERN present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + else + ok "$FILE exist" + fi + for AUDIT_OPTION in $OPTIONS; do + AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) + AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + debug "$AUDIT_PARAM must have value $AUDIT_VALUE" + PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$AUDIT_PARAM" + if [ $FNRET != 0 ]; then + info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" + add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" + else + info "Parameter $AUDIT_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" + fi + else + ok "$PATTERN present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.3_audit_bootloader.sh b/bin/hardening/8.1.3_audit_bootloader.sh new file mode 100755 index 0000000..7a8f5e3 --- /dev/null +++ b/bin/hardening/8.1.3_audit_bootloader.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.3 Enable Auditing for Processes That Start Prior to auditd (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/default/grub' +OPTIONS='GRUB_CMDLINE_LINUX="audit=1"' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist, checking configuration" + for GRUB_OPTION in $OPTIONS; do + GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) + GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) + PATTERN="^$GRUB_PARAM=$GRUB_VALUE" + debug "$GRUB_PARAM must have value $GRUB_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE" + else + ok "$PATTERN present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + else + ok "$FILE exist" + fi + for GRUB_OPTION in $OPTIONS; do + GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) + GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) + debug "$GRUB_PARAM must have value $GRUB_VALUE" + PATTERN="^$GRUB_PARAM=$GRUB_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$GRUB_PARAM" + if [ $FNRET != 0 ]; then + info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end" + add_end_of_file $FILE "$GRUB_PARAM = $GRUB_VALUE" + else + info "Parameter $GRUB_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE" + fi + else + ok "$PATTERN present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg b/etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.3_audit_bootloader.cfg b/etc/conf.d/8.1.3_audit_bootloader.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.3_audit_bootloader.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index 25905bd..6308adb 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -133,6 +133,7 @@ add_line_file_before_pattern() { local LINE=$2 local PATTERN=$3 + backup_file "$1" debug "Inserting $LINE before $PATTERN in $FILE" debug "sed -i '/$PATTERN/i $LINE' $FILE" sed -i "/$PATTERN/i $LINE" $FILE @@ -144,6 +145,7 @@ replace_in_file() { local SOURCE=$2 local DESTINATION=$3 + backup_file "$1" debug "Replacing $SOURCE to $DESTINATION in $FILE" debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE" sed -i "s/$SOURCE/$DESTINATION/g" $FILE