From 1479332870dc08925b771752ba485c0431543a56 Mon Sep 17 00:00:00 2001 From: "kevin.tanguy" Date: Mon, 25 Apr 2016 15:15:49 +0200 Subject: [PATCH] debian dependencies fix, rephrasing, revision bump 1.0-8. --- bin/hardening/10.1.1_set_password_exp_days.sh | 8 ++++---- .../10.1.2_set_password_min_days_change.sh | 8 ++++---- .../10.1.3_set_password_exp_warning_days.sh | 8 ++++---- bin/hardening/10.2_disable_system_accounts.sh | 12 +++++------ bin/hardening/10.3_default_root_group.sh | 2 +- bin/hardening/10.4_default_umask.sh | 12 +++++------ bin/hardening/11.1_warning_banners.sh | 4 ++-- .../11.2_remove_os_info_warning_banners.sh | 4 ++-- bin/hardening/12.10_find_suid_files.sh | 2 +- bin/hardening/12.11_find_sgid_files.sh | 2 +- bin/hardening/12.4_etc_passwd_ownership.sh | 2 +- bin/hardening/12.5_etc_shadow_ownership.sh | 2 +- bin/hardening/12.6_etc_group_ownership.sh | 2 +- .../12.7_find_world_writable_file.sh | 4 ++-- bin/hardening/12.8_find_unowned_files.sh | 8 ++++---- bin/hardening/12.9_find_ungrouped_files.sh | 10 +++++----- bin/hardening/13.10_find_user_rhosts_files.sh | 2 +- bin/hardening/13.18_find_user_netrc_files.sh | 2 +- .../13.19_find_user_forward_files.sh | 2 +- .../13.1_remove_empty_password_field.sh | 8 ++++---- bin/hardening/13.20_shadow_group_empty.sh | 12 +++++------ .../13.2_remove_legacy_passwd_entries.sh | 6 +++--- .../13.3_remove_legacy_shadow_entries.sh | 6 +++--- .../13.4_remove_legacy_group_entries.sh | 10 +++++----- .../13.5_find_0_uid_non_root_account.sh | 2 +- bin/hardening/3.1_bootloader_ownership.sh | 2 +- bin/hardening/3.3_bootloader_password.sh | 8 ++++---- bin/hardening/3.4_root_password.sh | 12 +++++------ bin/hardening/4.1_restrict_core_dumps.sh | 6 +++--- bin/hardening/4.2_enable_nx_support.sh | 12 +++++------ bin/hardening/5.1.2_disable_rsh.sh | 10 +++++----- bin/hardening/5.1.4_disable_talk.sh | 10 +++++----- bin/hardening/5.1.6_disable_telnet_server.sh | 10 +++++----- bin/hardening/5.1.7_disable_tftp_server.sh | 11 +++++----- bin/hardening/5.2_disable_chargen.sh | 12 +++++------ bin/hardening/5.3_disable_daytime.sh | 12 +++++------ bin/hardening/5.4_disable_echo.sh | 12 +++++------ bin/hardening/5.5_disable_discard.sh | 12 +++++------ bin/hardening/5.6_disable_time.sh | 12 +++++------ bin/hardening/6.16_disable_rsync.sh | 4 ++-- bin/hardening/6.5_configure_ntp.sh | 8 ++++---- bin/hardening/7.4.4_hosts_deny.sh | 16 +++++++-------- bin/hardening/8.1.1.1_audit_log_storage.sh | 16 +++++++-------- .../8.1.1.2_halt_when_audit_log_full.sh | 18 ++++++++--------- bin/hardening/8.1.1.3_keep_all_audit_logs.sh | 18 ++++++++--------- bin/hardening/8.1.10_record_dac_edit.sh | 12 +++++------ .../8.1.11_record_failed_access_file.sh | 12 +++++------ .../8.1.12_record_privileged_commands.sh | 12 +++++------ .../8.1.13_record_successful_mount.sh | 12 +++++------ bin/hardening/8.1.14_record_file_deletions.sh | 12 +++++------ bin/hardening/8.1.15_record_sudoers_edit.sh | 12 +++++------ bin/hardening/8.1.16_record_sudo_usage.sh | 12 +++++------ bin/hardening/8.1.17_record_kernel_modules.sh | 12 +++++------ bin/hardening/8.1.18_freeze_auditd_conf.sh | 12 +++++------ bin/hardening/8.1.3_audit_bootloader.sh | 18 ++++++++--------- bin/hardening/8.1.4_record_date_time_edit.sh | 12 +++++------ bin/hardening/8.1.5_record_user_group_edit.sh | 12 +++++------ bin/hardening/8.1.6_record_network_edit.sh | 12 +++++------ bin/hardening/8.1.7_record_mac_edit.sh | 12 +++++------ bin/hardening/8.1.8_record_login_logout.sh | 12 +++++------ bin/hardening/8.1.9_record_session_init.sh | 12 +++++------ bin/hardening/8.2.4_set_logfile_perm.sh | 4 ++-- bin/hardening/8.2.5_syslog-ng_remote_host.sh | 12 +++++------ bin/hardening/8.3.2_tripwire_cron.sh | 20 +++++++++---------- bin/hardening/9.1.2_crontab_perm_ownership.sh | 4 ++-- .../9.1.3_cron_hourly_perm_ownership.sh | 4 ++-- .../9.1.4_cron_daily_perm_ownership.sh | 4 ++-- .../9.1.5_cron_weekly_perm_ownership.sh | 4 ++-- .../9.1.6_cron_monthly_perm_ownership.sh | 4 ++-- bin/hardening/9.1.7_cron_d_perm_ownership.sh | 4 ++-- bin/hardening/9.1.8_cron_users.sh | 4 ++-- bin/hardening/9.2.1_enable_cracklib.sh | 4 ++-- .../9.2.2_enable_lockout_failed_password.sh | 4 ++-- bin/hardening/9.2.3_limit_password_reuse.sh | 4 ++-- bin/hardening/9.3.10_disable_sshd_setenv.sh | 8 ++++---- bin/hardening/9.3.11_sshd_ciphers.sh | 8 ++++---- bin/hardening/9.3.12_sshd_idle_timeout.sh | 8 ++++---- bin/hardening/9.3.13_sshd_limit_access.sh | 8 ++++---- bin/hardening/9.3.14_ssh_banner.sh | 8 ++++---- bin/hardening/9.3.1_sshd_protocol.sh | 8 ++++---- bin/hardening/9.3.2_sshd_loglevel.sh | 8 ++++---- .../9.3.3_sshd_conf_perm_ownership.sh | 4 ++-- bin/hardening/9.3.4_disable_x11_forwarding.sh | 8 ++++---- bin/hardening/9.3.5_sshd_maxauthtries.sh | 8 ++++---- .../9.3.6_enable_sshd_ignorerhosts.sh | 8 ++++---- ....7_disable_sshd_hostbasedauthentication.sh | 8 ++++---- bin/hardening/9.3.8_disable_root_login.sh | 8 ++++---- ...9.3.9_disable_sshd_permitemptypasswords.sh | 8 ++++---- bin/hardening/9.5_restrict_su.sh | 4 ++-- bin/hardening/99.1_timeout_tty.sh | 12 +++++------ bin/hardening/99.2_disable_usb_devices.sh | 12 +++++------ debian/changelog | 7 +++++++ debian/control | 2 +- lib/utils.sh | 4 ++-- 94 files changed, 395 insertions(+), 389 deletions(-) diff --git a/bin/hardening/10.1.1_set_password_exp_days.sh b/bin/hardening/10.1.1_set_password_exp_days.sh index 5b76261..b387c5a 100755 --- a/bin/hardening/10.1.1_set_password_exp_days.sh +++ b/bin/hardening/10.1.1_set_password_exp_days.sh @@ -26,7 +26,7 @@ audit () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,12 +49,12 @@ apply () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$SSH_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" if [ $FNRET != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/10.1.2_set_password_min_days_change.sh b/bin/hardening/10.1.2_set_password_min_days_change.sh index 29e907d..e6b7b47 100755 --- a/bin/hardening/10.1.2_set_password_min_days_change.sh +++ b/bin/hardening/10.1.2_set_password_min_days_change.sh @@ -26,7 +26,7 @@ audit () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,12 +49,12 @@ apply () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$SSH_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" if [ $FNRET != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/10.1.3_set_password_exp_warning_days.sh b/bin/hardening/10.1.3_set_password_exp_warning_days.sh index c3ab01e..83ca246 100755 --- a/bin/hardening/10.1.3_set_password_exp_warning_days.sh +++ b/bin/hardening/10.1.3_set_password_exp_warning_days.sh @@ -26,7 +26,7 @@ audit () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,12 +49,12 @@ apply () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$SSH_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" if [ $FNRET != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/10.2_disable_system_accounts.sh b/bin/hardening/10.2_disable_system_accounts.sh index 42e7daf..8b5ec97 100755 --- a/bin/hardening/10.2_disable_system_accounts.sh +++ b/bin/hardening/10.2_disable_system_accounts.sh @@ -17,7 +17,7 @@ RESULT='' # This function will be called if the script status is on enabled / audit mode audit () { - info "Checking if admin accounts have login different from $SHELL" + info "Checking if admin accounts have a login shell different than $SHELL" RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}') for LINE in $RESULT; do debug "line : $LINE" @@ -29,11 +29,11 @@ audit () { debug "$ACCOUNT is confirmed as an exception" RESULT=$(sed "s!$LINE!!" <<< "$RESULT") else - debug "$ACCOUNT not found in exceptions" + debug "$ACCOUNT not found in exceptions" fi done if [ ! -z "$RESULT" ]; then - crit "Some admin accounts don't have $SHELL as shell" + crit "Some admin accounts don't have $SHELL as their login shell" crit "$RESULT" else ok "All admin accounts deactivated" @@ -57,11 +57,11 @@ apply () { fi done if [ ! -z "$RESULT" ]; then - warn "Some admin accounts don't have $SHELL as shell" + warn "Some admin accounts don't have $SHELL as their login shell -- Fixing" warn "$RESULT" for USER in $( echo "$RESULT" | cut -d: -f 1 ); do - info "Setting $SHELL to $USER" - usermod -s $SHELL $USER + info "Setting $SHELL as $USER login shell" + usermod -s $SHELL $USER done else ok "All admin accounts deactivated, nothing to apply" diff --git a/bin/hardening/10.3_default_root_group.sh b/bin/hardening/10.3_default_root_group.sh index 08e4df3..4b1732f 100755 --- a/bin/hardening/10.3_default_root_group.sh +++ b/bin/hardening/10.3_default_root_group.sh @@ -28,7 +28,7 @@ apply () { if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then ok "Root group GID is $EXPECTED_GID" else - warn "Root group GID is not $EXPECTED_GID" + warn "Root group GID is not $EXPECTED_GID -- Fixing" usermod -g $EXPECTED_GID $USER fi } diff --git a/bin/hardening/10.4_default_umask.sh b/bin/hardening/10.4_default_umask.sh index ecef1e6..af442c0 100755 --- a/bin/hardening/10.4_default_umask.sh +++ b/bin/hardening/10.4_default_umask.sh @@ -18,24 +18,24 @@ FILE='/etc/profile.d/CIS_10.4_umask.sh' # This function will be called if the script status is on enabled / audit mode audit () { - does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN" if [ $FNRET != 0 ]; then - crit "$PATTERN not present in $FILES_TO_SEARCH" + crit "$PATTERN is not present in $FILES_TO_SEARCH" else - ok "$PATTERN present in $FILES_TO_SEARCH" + ok "$PATTERN is present in $FILES_TO_SEARCH" fi } # This function will be called if the script status is on enabled mode apply () { - does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN" if [ $FNRET != 0 ]; then - warn "$PATTERN not present in $FILES_TO_SEARCH" + warn "$PATTERN is not present in $FILES_TO_SEARCH" touch $FILE chmod 644 $FILE add_end_of_file $FILE "$PATTERN" else - ok "$PATTERN present in $FILES_TO_SEARCH" + ok "$PATTERN is present in $FILES_TO_SEARCH" fi } diff --git a/bin/hardening/11.1_warning_banners.sh b/bin/hardening/11.1_warning_banners.sh index 4e495b9..43bdb51 100755 --- a/bin/hardening/11.1_warning_banners.sh +++ b/bin/hardening/11.1_warning_banners.sh @@ -23,7 +23,7 @@ audit () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - crit "$FILE is not $USER:$GROUP ownership set" + crit "$FILE ownership was not set to $USER:$GROUP" fi has_file_correct_permissions $FILE $PERMISSIONS if [ $FNRET = 0 ]; then @@ -46,7 +46,7 @@ apply () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - warn "$FILE is not $USER:$GROUP ownership set" + warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi has_file_correct_permissions $FILE $PERMISSIONS diff --git a/bin/hardening/11.2_remove_os_info_warning_banners.sh b/bin/hardening/11.2_remove_os_info_warning_banners.sh index 7da9b99..9ebe717 100755 --- a/bin/hardening/11.2_remove_os_info_warning_banners.sh +++ b/bin/hardening/11.2_remove_os_info_warning_banners.sh @@ -17,7 +17,7 @@ PATTERN='(\\v|\\r|\\m|\\s)' # This function will be called if the script status is on enabled / audit mode audit () { for FILE in $FILES; do - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then crit "$PATTERN is present in $FILE" else @@ -29,7 +29,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for FILE in $FILES; do - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then warn "$PATTERN is present in $FILE" delete_line_in_file $FILE $PATTERN diff --git a/bin/hardening/12.10_find_suid_files.sh b/bin/hardening/12.10_find_suid_files.sh index d10bf7e..2e490db 100755 --- a/bin/hardening/12.10_find_suid_files.sh +++ b/bin/hardening/12.10_find_suid_files.sh @@ -13,7 +13,7 @@ set -u # One variable unset, it's over # This function will be called if the script status is on enabled / audit mode audit () { - info "Checking if there is suid files" + info "Checking if there are suid files" RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 -print) for BINARY in $RESULT; do if grep -q $BINARY <<< "$EXCEPTIONS"; then diff --git a/bin/hardening/12.11_find_sgid_files.sh b/bin/hardening/12.11_find_sgid_files.sh index 56509e2..ee98497 100755 --- a/bin/hardening/12.11_find_sgid_files.sh +++ b/bin/hardening/12.11_find_sgid_files.sh @@ -13,7 +13,7 @@ set -u # One variable unset, it's over # This function will be called if the script status is on enabled / audit mode audit () { - info "Checking if there is sgid files" + info "Checking if there are sgid files" RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 -print) for BINARY in $RESULT; do if grep -q $BINARY <<< "$EXCEPTIONS"; then diff --git a/bin/hardening/12.4_etc_passwd_ownership.sh b/bin/hardening/12.4_etc_passwd_ownership.sh index 0f2cf56..99d5651 100755 --- a/bin/hardening/12.4_etc_passwd_ownership.sh +++ b/bin/hardening/12.4_etc_passwd_ownership.sh @@ -21,7 +21,7 @@ audit () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - crit "$FILE is not $USER:$GROUP ownership set" + crit "$FILE ownership was not set to $USER:$GROUP" fi } diff --git a/bin/hardening/12.5_etc_shadow_ownership.sh b/bin/hardening/12.5_etc_shadow_ownership.sh index 005b1d1..df280d0 100755 --- a/bin/hardening/12.5_etc_shadow_ownership.sh +++ b/bin/hardening/12.5_etc_shadow_ownership.sh @@ -21,7 +21,7 @@ audit () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - crit "$FILE is not $USER:$GROUP ownership set" + crit "$FILE ownership was not set to $USER:$GROUP" fi } diff --git a/bin/hardening/12.6_etc_group_ownership.sh b/bin/hardening/12.6_etc_group_ownership.sh index 50595a5..f52cae9 100755 --- a/bin/hardening/12.6_etc_group_ownership.sh +++ b/bin/hardening/12.6_etc_group_ownership.sh @@ -21,7 +21,7 @@ audit () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - crit "$FILE is not $USER:$GROUP ownership set" + crit "$FILE ownership was not set to $USER:$GROUP" fi } diff --git a/bin/hardening/12.7_find_world_writable_file.sh b/bin/hardening/12.7_find_world_writable_file.sh index 33fd01c..6353a87 100755 --- a/bin/hardening/12.7_find_world_writable_file.sh +++ b/bin/hardening/12.7_find_world_writable_file.sh @@ -13,10 +13,10 @@ set -u # One variable unset, it's over # This function will be called if the script status is on enabled / audit mode audit () { - info "Checking if there is world writable files" + info "Checking if there are world writable files" RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) if [ ! -z "$RESULT" ]; then - crit "Some world writable file are present" + crit "Some world writable files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else diff --git a/bin/hardening/12.8_find_unowned_files.sh b/bin/hardening/12.8_find_unowned_files.sh index d81289b..b411f42 100755 --- a/bin/hardening/12.8_find_unowned_files.sh +++ b/bin/hardening/12.8_find_unowned_files.sh @@ -15,10 +15,10 @@ USER='root' # This function will be called if the script status is on enabled / audit mode audit () { - info "Checking if there is unowned files" + info "Checking if there are unowned files" RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null) if [ ! -z "$RESULT" ]; then - crit "Some world writable file are present" + crit "Some unowned files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else @@ -30,8 +30,8 @@ audit () { apply () { RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null) if [ ! -z "$RESULT" ]; then - warn "chmowing all unowned files in the system" - df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER + warn "Applying chown on all unowned files in the system" + df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER else ok "No unowned files found, nothing to apply" fi diff --git a/bin/hardening/12.9_find_ungrouped_files.sh b/bin/hardening/12.9_find_ungrouped_files.sh index 7a6cf14..ca36ece 100755 --- a/bin/hardening/12.9_find_ungrouped_files.sh +++ b/bin/hardening/12.9_find_ungrouped_files.sh @@ -15,14 +15,14 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { - info "Checking if there is unowned files" + info "Checking if there are ungrouped files" RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null) if [ ! -z "$RESULT" ]; then - crit "Some world writable file are present" + crit "Some ungrouped files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else - ok "No world writable files found" + ok "No ungrouped files found" fi } @@ -30,10 +30,10 @@ audit () { apply () { RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null) if [ ! -z "$RESULT" ]; then - warn "chmowing all ungrouped files in the system" + warn "Applying chgrp on all ungrouped files in the system" df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP else - ok "No world writable files found, nothing to apply" + ok "No ungrouped files found, nothing to apply" fi } diff --git a/bin/hardening/13.10_find_user_rhosts_files.sh b/bin/hardening/13.10_find_user_rhosts_files.sh index 0445ece..1a7fc5b 100755 --- a/bin/hardening/13.10_find_user_rhosts_files.sh +++ b/bin/hardening/13.10_find_user_rhosts_files.sh @@ -27,7 +27,7 @@ audit () { done if [ $ERRORS = 0 ]; then - ok "No $FILENAME present in users files" + ok "No $FILENAME present in users home directory" fi } diff --git a/bin/hardening/13.18_find_user_netrc_files.sh b/bin/hardening/13.18_find_user_netrc_files.sh index 9a2063a..fcd3c2d 100755 --- a/bin/hardening/13.18_find_user_netrc_files.sh +++ b/bin/hardening/13.18_find_user_netrc_files.sh @@ -27,7 +27,7 @@ audit () { done if [ $ERRORS = 0 ]; then - ok "No $FILENAME present in users files" + ok "No $FILENAME present in users home directory" fi } diff --git a/bin/hardening/13.19_find_user_forward_files.sh b/bin/hardening/13.19_find_user_forward_files.sh index 02324e1..1ea0c51 100755 --- a/bin/hardening/13.19_find_user_forward_files.sh +++ b/bin/hardening/13.19_find_user_forward_files.sh @@ -27,7 +27,7 @@ audit () { done if [ $ERRORS = 0 ]; then - ok "No $FILENAME present in users files" + ok "No $FILENAME present in users home directory" fi } diff --git a/bin/hardening/13.1_remove_empty_password_field.sh b/bin/hardening/13.1_remove_empty_password_field.sh index d953a81..6d5b6e7 100755 --- a/bin/hardening/13.1_remove_empty_password_field.sh +++ b/bin/hardening/13.1_remove_empty_password_field.sh @@ -15,10 +15,10 @@ FILE='/etc/shadow' # This function will be called if the script status is on enabled / audit mode audit () { - info "Checking if accounts have empty passwords" + info "Checking if accounts have an empty password" RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }') if [ ! -z "$RESULT" ]; then - crit "Some accounts have empty passwords" + crit "Some accounts have an empty password" crit $RESULT else ok "All accounts have a password" @@ -29,8 +29,8 @@ audit () { apply () { RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }') if [ ! -z "$RESULT" ]; then - warn "Some accounts have empty passwords" - for ACCOUNT in $RESULT; do + warn "Some accounts have an empty password" + for ACCOUNT in $RESULT; do info "Locking $ACCOUNT" passwd -l $ACCOUNT >/dev/null 2>&1 done diff --git a/bin/hardening/13.20_shadow_group_empty.sh b/bin/hardening/13.20_shadow_group_empty.sh index 6935b33..09008f8 100755 --- a/bin/hardening/13.20_shadow_group_empty.sh +++ b/bin/hardening/13.20_shadow_group_empty.sh @@ -17,24 +17,24 @@ PATTERN='^shadow:x:[[:digit:]]+:' # This function will be called if the script status is on enabled / audit mode audit () { - does_pattern_exists_in_file $FILEGROUP $PATTERN + does_pattern_exist_in_file $FILEGROUP $PATTERN if [ $FNRET = 0 ]; then info "shadow group exists" RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4) GROUPID=$(getent group shadow | cut -d: -f3) debug "$RESULT $GROUPID" if [ ! -z "$RESULT" ]; then - crit "Some user belong to shadow group : $RESULT" + crit "Some users belong to shadow group: $RESULT" else - ok "No one belongs to shadow group" + ok "No user belongs to shadow group" fi info "Checking if a user has $GROUPID as primary group" RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd) if [ ! -z "$RESULT" ]; then - crit "Some user have shadow id to their primary group : $RESULT" + crit "Some users have shadow id as their primary group: $RESULT" else - ok "No one have shadow id to their primary group" + ok "No user has shadow id as their primary group" fi else crit "shadow group doesn't exist" @@ -43,7 +43,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - info "If the audit returns something, please check with the user why he has this file" + info "Editing automatically users/groups may seriously harm your system, report only here" } # This function will check config parameters required diff --git a/bin/hardening/13.2_remove_legacy_passwd_entries.sh b/bin/hardening/13.2_remove_legacy_passwd_entries.sh index 29b878a..45bd0d1 100755 --- a/bin/hardening/13.2_remove_legacy_passwd_entries.sh +++ b/bin/hardening/13.2_remove_legacy_passwd_entries.sh @@ -16,10 +16,10 @@ RESULT='' # This function will be called if the script status is on enabled / audit mode audit () { - info "Checking if accounts have empty passwords" + info "Checking if accounts have a legacy password entry" if grep '^+:' $FILE -q; then RESULT=$(grep '^+:' $FILE) - crit "Some accounts have legacy password entry" + crit "Some accounts have a legacy password entry" crit $RESULT else ok "All accounts have a valid password entry format" @@ -30,7 +30,7 @@ audit () { apply () { if grep '^+:' $FILE -q; then RESULT=$(grep '^+:' $FILE) - warn "Some accounts have legacy password entry" + warn "Some accounts have a legacy password entry" for LINE in $RESULT; do info "Removing $LINE from $FILE" delete_line_in_file $FILE $LINE diff --git a/bin/hardening/13.3_remove_legacy_shadow_entries.sh b/bin/hardening/13.3_remove_legacy_shadow_entries.sh index 1c962b0..97f95c7 100755 --- a/bin/hardening/13.3_remove_legacy_shadow_entries.sh +++ b/bin/hardening/13.3_remove_legacy_shadow_entries.sh @@ -16,10 +16,10 @@ RESULT='' # This function will be called if the script status is on enabled / audit mode audit () { - info "Checking if accounts have empty passwords" + info "Checking if accounts have a legacy password entry" if grep '^+:' $FILE -q; then RESULT=$(grep '^+:' $FILE) - crit "Some accounts have legacy password entry" + crit "Some accounts have a legacy password entry" crit $RESULT else ok "All accounts have a valid password entry format" @@ -30,7 +30,7 @@ audit () { apply () { if grep '^+:' $FILE -q; then RESULT=$(grep '^+:' $FILE) - warn "Some accounts have legacy password entry" + warn "Some accounts have a legacy password entry" for LINE in $RESULT; do info "Removing $LINE from $FILE" delete_line_in_file $FILE $LINE diff --git a/bin/hardening/13.4_remove_legacy_group_entries.sh b/bin/hardening/13.4_remove_legacy_group_entries.sh index bea35d4..b33b6e4 100755 --- a/bin/hardening/13.4_remove_legacy_group_entries.sh +++ b/bin/hardening/13.4_remove_legacy_group_entries.sh @@ -16,13 +16,13 @@ RESULT='' # This function will be called if the script status is on enabled / audit mode audit () { - info "Checking if accounts have empty passwords" + info "Checking if accounts have a legacy group entry" if grep '^+:' $FILE -q; then RESULT=$(grep '^+:' $FILE) - crit "Some accounts have legacy password entry" + crit "Some accounts have a legacy group entry" crit $RESULT else - ok "All accounts have a valid password entry format" + ok "All accounts have a valid group entry format" fi } @@ -30,13 +30,13 @@ audit () { apply () { if grep '^+:' $FILE -q; then RESULT=$(grep '^+:' $FILE) - warn "Some accounts have legacy password entry" + warn "Some accounts have a legacy group entry" for LINE in $RESULT; do info "Removing $LINE from $FILE" delete_line_in_file $FILE $LINE done else - ok "All accounts have a valid password entry format" + ok "All accounts have a valid group entry format" fi } diff --git a/bin/hardening/13.5_find_0_uid_non_root_account.sh b/bin/hardening/13.5_find_0_uid_non_root_account.sh index b5c7d34..646a5da 100755 --- a/bin/hardening/13.5_find_0_uid_non_root_account.sh +++ b/bin/hardening/13.5_find_0_uid_non_root_account.sh @@ -33,7 +33,7 @@ audit () { crit "Some accounts have uid 0" crit $RESULT else - ok "No account with suid 0 apart root" + ok "No account with uid 0 apart root" fi } diff --git a/bin/hardening/3.1_bootloader_ownership.sh b/bin/hardening/3.1_bootloader_ownership.sh index d8d71b6..9f9a3a2 100755 --- a/bin/hardening/3.1_bootloader_ownership.sh +++ b/bin/hardening/3.1_bootloader_ownership.sh @@ -23,7 +23,7 @@ audit () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - crit "$FILE is not $USER:$GROUP ownership set" + crit "$FILE ownership was not set to $USER:$GROUP" fi } diff --git a/bin/hardening/3.3_bootloader_password.sh b/bin/hardening/3.3_bootloader_password.sh index 6dd9ff6..ba17945 100755 --- a/bin/hardening/3.3_bootloader_password.sh +++ b/bin/hardening/3.3_bootloader_password.sh @@ -17,13 +17,13 @@ PWD_PATTERN="^password_pbkdf2" # This function will be called if the script status is on enabled / audit mode audit () { - does_pattern_exists_in_file $FILE "$USER_PATTERN" + does_pattern_exist_in_file $FILE "$USER_PATTERN" if [ $FNRET != 0 ]; then crit "$USER_PATTERN not present in $FILE" else ok "$USER_PATTERN is present in $FILE" fi - does_pattern_exists_in_file $FILE "$PWD_PATTERN" + does_pattern_exist_in_file $FILE "$PWD_PATTERN" if [ $FNRET != 0 ]; then crit "$PWD_PATTERN not present in $FILE" else @@ -33,13 +33,13 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - does_pattern_exists_in_file $FILE "$USER_PATTERN" + does_pattern_exist_in_file $FILE "$USER_PATTERN" if [ $FNRET != 0 ]; then warn "$USER_PATTERN not present in $FILE, please configure password for grub" else ok "$USER_PATTERN is present in $FILE" fi - does_pattern_exists_in_file $FILE "$PWD_PATTERN" + does_pattern_exist_in_file $FILE "$PWD_PATTERN" if [ $FNRET != 0 ]; then warn "$PWD_PATTERN not present in $FILE, please configure password for grub" else diff --git a/bin/hardening/3.4_root_password.sh b/bin/hardening/3.4_root_password.sh index 38ea68e..d00be4c 100755 --- a/bin/hardening/3.4_root_password.sh +++ b/bin/hardening/3.4_root_password.sh @@ -16,21 +16,21 @@ PATTERN="^root:[*\!]:" # This function will be called if the script status is on enabled / audit mode audit () { - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET != 1 ]; then - crit "$PATTERN present in $FILE" + crit "$PATTERN is present in $FILE" else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi } # This function will be called if the script status is on enabled mode apply () { - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET != 1 ]; then - warn "$PATTERN present in $FILE, please put a root password" + warn "$PATTERN is present in $FILE, please put a root password" else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi : } diff --git a/bin/hardening/4.1_restrict_core_dumps.sh b/bin/hardening/4.1_restrict_core_dumps.sh index 7ce2f08..9f57b49 100755 --- a/bin/hardening/4.1_restrict_core_dumps.sh +++ b/bin/hardening/4.1_restrict_core_dumps.sh @@ -18,7 +18,7 @@ SYSCTL_EXP_RESULT=0 # This function will be called if the script status is on enabled / audit mode audit () { - does_pattern_exists_in_file $LIMIT_FILE $LIMIT_PATTERN + does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN if [ $FNRET != 0 ]; then crit "$LIMIT_PATTERN not present in $LIMIT_FILE" else @@ -36,9 +36,9 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - does_pattern_exists_in_file $LIMIT_FILE $LIMIT_PATTERN + does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN if [ $FNRET != 0 ]; then - warn "$LIMIT_PATTERN not present in $LIMIT_FILE, addning at the end of $LIMIT_FILE" + warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE" add_end_of_file $LIMIT_FILE "* hard core 0" else ok "$LIMIT_PATTERN present in $LIMIT_FILE" diff --git a/bin/hardening/4.2_enable_nx_support.sh b/bin/hardening/4.2_enable_nx_support.sh index 356899c..42f76c9 100755 --- a/bin/hardening/4.2_enable_nx_support.sh +++ b/bin/hardening/4.2_enable_nx_support.sh @@ -15,21 +15,21 @@ PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:spac # This function will be called if the script status is on enabled / audit mode audit () { - does_pattern_exists_in_dmesg $PATTERN + does_pattern_exist_in_dmesg $PATTERN if [ $FNRET != 0 ]; then - crit "$PATTERN not present in dmesg" + crit "$PATTERN is not present in dmesg" else - ok "$PATTERN present in dmesg" + ok "$PATTERN is present in dmesg" fi } # This function will be called if the script status is on enabled mode apply () { - does_pattern_exists_in_dmesg $PATTERN + does_pattern_exist_in_dmesg $PATTERN if [ $FNRET != 0 ]; then - crit "$PATTERN not present in dmesg, please go to the bios to activate this option or change for CPU compatible" + crit "$PATTERN is not present in dmesg, please go to the bios to activate this option or change for CPU compatible" else - ok "$PATTERN present in dmesg" + ok "$PATTERN is present in dmesg" fi } diff --git a/bin/hardening/5.1.2_disable_rsh.sh b/bin/hardening/5.1.2_disable_rsh.sh index c050e4c..d767a7f 100755 --- a/bin/hardening/5.1.2_disable_rsh.sh +++ b/bin/hardening/5.1.2_disable_rsh.sh @@ -26,11 +26,11 @@ audit () { if [ $FNRET != 0 ]; then ok "$FILE does not exist" else - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then crit "$PATTERN exists, $PACKAGE services are enabled!" else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi else @@ -55,14 +55,14 @@ apply () { ok "$FILE does not exist" else info "$FILE exists, checking patterns" - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then - warn "$PATTERN present in $FILE, purging it" + warn "$PATTERN is present in $FILE, purging it" backup_file $FILE ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi done diff --git a/bin/hardening/5.1.4_disable_talk.sh b/bin/hardening/5.1.4_disable_talk.sh index 2309943..a741ae2 100755 --- a/bin/hardening/5.1.4_disable_talk.sh +++ b/bin/hardening/5.1.4_disable_talk.sh @@ -25,11 +25,11 @@ audit () { if [ $FNRET != 0 ]; then ok "$FILE does not exist" else - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then crit "$PATTERN exists, $PACKAGE services are enabled!" else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi else @@ -54,14 +54,14 @@ apply () { ok "$FILE does not exist" else info "$FILE exists, checking patterns" - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then - warn "$PATTERN present in $FILE, purging it" + warn "$PATTERN is present in $FILE, purging it" backup_file $FILE ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi done diff --git a/bin/hardening/5.1.6_disable_telnet_server.sh b/bin/hardening/5.1.6_disable_telnet_server.sh index 3bf3c3a..40a7d65 100755 --- a/bin/hardening/5.1.6_disable_telnet_server.sh +++ b/bin/hardening/5.1.6_disable_telnet_server.sh @@ -26,11 +26,11 @@ audit () { if [ $FNRET != 0 ]; then ok "$FILE does not exist" else - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then crit "$PATTERN exists, $PACKAGE services are enabled!" else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi else @@ -55,14 +55,14 @@ apply () { ok "$FILE does not exist" else info "$FILE exists, checking patterns" - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then - warn "$PATTERN present in $FILE, purging it" + warn "$PATTERN is present in $FILE, purging it" backup_file $FILE ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi done diff --git a/bin/hardening/5.1.7_disable_tftp_server.sh b/bin/hardening/5.1.7_disable_tftp_server.sh index 5a35d97..456a759 100755 --- a/bin/hardening/5.1.7_disable_tftp_server.sh +++ b/bin/hardening/5.1.7_disable_tftp_server.sh @@ -25,11 +25,11 @@ audit () { if [ $FNRET != 0 ]; then ok "$FILE does not exist" else - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then crit "$PATTERN exists, $PACKAGE services are enabled!" else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi else @@ -54,15 +54,14 @@ apply () { ok "$FILE does not exist" else info "$FILE exists, checking patterns" - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then - warn "$PATTERN present in $FILE, purging it" + warn "$PATTERN is present in $FILE, purging it" backup_file $FILE ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE - echo "coucou" else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi done diff --git a/bin/hardening/5.2_disable_chargen.sh b/bin/hardening/5.2_disable_chargen.sh index 0a2f84a..8f07b09 100755 --- a/bin/hardening/5.2_disable_chargen.sh +++ b/bin/hardening/5.2_disable_chargen.sh @@ -20,11 +20,11 @@ audit () { if [ $FNRET != 0 ]; then ok "$FILE does not exist" else - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then - crit "$PATTERN exists, chargen services are enabled!" + crit "$PATTERN exists, chargen service is enabled!" else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi } @@ -36,14 +36,14 @@ apply () { ok "$FILE does not exist" else info "$FILE exists, checking patterns" - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then - warn "$PATTERN present in $FILE, purging it" + warn "$PATTERN is present in $FILE, purging it" backup_file $FILE ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi } diff --git a/bin/hardening/5.3_disable_daytime.sh b/bin/hardening/5.3_disable_daytime.sh index 35f79aa..c62a8e6 100755 --- a/bin/hardening/5.3_disable_daytime.sh +++ b/bin/hardening/5.3_disable_daytime.sh @@ -20,11 +20,11 @@ audit () { if [ $FNRET != 0 ]; then ok "$FILE does not exist" else - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then - crit "$PATTERN exists, chargen services are enabled!" + crit "$PATTERN exists, daytime service is enabled!" else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi } @@ -36,14 +36,14 @@ apply () { ok "$FILE does not exist" else info "$FILE exists, checking patterns" - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then - warn "$PATTERN present in $FILE, purging it" + warn "$PATTERN is present in $FILE, purging it" backup_file $FILE ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi } diff --git a/bin/hardening/5.4_disable_echo.sh b/bin/hardening/5.4_disable_echo.sh index 698a00f..0e61c25 100755 --- a/bin/hardening/5.4_disable_echo.sh +++ b/bin/hardening/5.4_disable_echo.sh @@ -20,11 +20,11 @@ audit () { if [ $FNRET != 0 ]; then ok "$FILE does not exist" else - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then - crit "$PATTERN exists, chargen services are enabled!" + crit "$PATTERN exists, echo service is enabled!" else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi } @@ -36,14 +36,14 @@ apply () { ok "$FILE does not exist" else info "$FILE exists, checking patterns" - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then - warn "$PATTERN present in $FILE, purging it" + warn "$PATTERN is present in $FILE, purging it" backup_file $FILE ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi } diff --git a/bin/hardening/5.5_disable_discard.sh b/bin/hardening/5.5_disable_discard.sh index 004dff5..731670b 100755 --- a/bin/hardening/5.5_disable_discard.sh +++ b/bin/hardening/5.5_disable_discard.sh @@ -20,11 +20,11 @@ audit () { if [ $FNRET != 0 ]; then ok "$FILE does not exist" else - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then - crit "$PATTERN exists, chargen services are enabled!" + crit "$PATTERN exists, discard service is enabled!" else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi } @@ -36,14 +36,14 @@ apply () { ok "$FILE does not exist" else info "$FILE exists, checking patterns" - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then - warn "$PATTERN present in $FILE, purging it" + warn "$PATTERN is present in $FILE, purging it" backup_file $FILE ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi } diff --git a/bin/hardening/5.6_disable_time.sh b/bin/hardening/5.6_disable_time.sh index bfd983f..862c819 100755 --- a/bin/hardening/5.6_disable_time.sh +++ b/bin/hardening/5.6_disable_time.sh @@ -20,11 +20,11 @@ audit () { if [ $FNRET != 0 ]; then ok "$FILE does not exist" else - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then - crit "$PATTERN exists, chargen services are enabled!" + crit "$PATTERN exists, time service is enabled!" else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi } @@ -36,14 +36,14 @@ apply () { ok "$FILE does not exist" else info "$FILE exists, checking patterns" - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then - warn "$PATTERN present in $FILE, purging it" + warn "$PATTERN is present in $FILE, purging it" backup_file $FILE ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE else - ok "$PATTERN not present in $FILE" + ok "$PATTERN is not present in $FILE" fi fi } diff --git a/bin/hardening/6.16_disable_rsync.sh b/bin/hardening/6.16_disable_rsync.sh index d5a4725..f63e1a8 100755 --- a/bin/hardening/6.16_disable_rsync.sh +++ b/bin/hardening/6.16_disable_rsync.sh @@ -23,7 +23,7 @@ audit () { ok "$PACKAGE is not installed" else ok "$PACKAGE is installed, checking configuration" - does_pattern_exists_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" + does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" if [ $FNRET != 0 ]; then crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE" else @@ -39,7 +39,7 @@ apply () { ok "$PACKAGE is not installed" else ok "$PACKAGE is installed, checking configuration" - does_pattern_exists_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" + does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" if [ $FNRET != 0 ]; then warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it" backup_file $RSYNC_DEFAULT_FILE diff --git a/bin/hardening/6.5_configure_ntp.sh b/bin/hardening/6.5_configure_ntp.sh index a164e44..aceca2b 100755 --- a/bin/hardening/6.5_configure_ntp.sh +++ b/bin/hardening/6.5_configure_ntp.sh @@ -24,13 +24,13 @@ audit () { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed, checking configuration" - does_pattern_exists_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN + does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN if [ $FNRET != 0 ]; then crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE" else ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" fi - does_pattern_exists_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" + does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" if [ $FNRET != 0 ]; then crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE" else @@ -49,7 +49,7 @@ apply () { apt_install $PACKAGE info "Checking $PACKAGE configuration" fi - does_pattern_exists_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN + does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN if [ $FNRET != 0 ]; then warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it" backup_file $NTP_CONF_FILE @@ -57,7 +57,7 @@ apply () { else ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" fi - does_pattern_exists_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" + does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" if [ $FNRET != 0 ]; then warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it" backup_file $NTP_INIT_FILE diff --git a/bin/hardening/7.4.4_hosts_deny.sh b/bin/hardening/7.4.4_hosts_deny.sh index f7a7a07..b91f67e 100755 --- a/bin/hardening/7.4.4_hosts_deny.sh +++ b/bin/hardening/7.4.4_hosts_deny.sh @@ -20,12 +20,12 @@ audit () { if [ $FNRET != 0 ]; then crit "$FILE does not exist" else - ok "$FILE exist, checking configuration" - does_pattern_exists_in_file $FILE "$PATTERN" + ok "$FILE exists, checking configuration" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET != 0 ]; then - crit "$PATTERN not present in $FILE, we have to deny everything" + crit "$PATTERN is not present in $FILE, we have to deny everything" else - ok "$PATTERN present in $FILE" + ok "$PATTERN is present in $FILE" fi fi } @@ -37,15 +37,15 @@ apply () { warn "$FILE does not exist, creating it" touch $FILE else - ok "$FILE exist" + ok "$FILE exists" fi - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET != 0 ]; then - crit "$PATTERN not present in $FILE, we have to deny everything" + crit "$PATTERN is not present in $FILE, we have to deny everything" add_end_of_file $FILE "$PATTERN" warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING" else - ok "$PATTERN present in $FILE" + ok "$PATTERN is present in $FILE" fi } diff --git a/bin/hardening/8.1.1.1_audit_log_storage.sh b/bin/hardening/8.1.1.1_audit_log_storage.sh index cda0d96..b452e85 100755 --- a/bin/hardening/8.1.1.1_audit_log_storage.sh +++ b/bin/hardening/8.1.1.1_audit_log_storage.sh @@ -21,12 +21,12 @@ audit () { if [ $FNRET != 0 ]; then crit "$FILE does not exist" else - ok "$FILE exist, checking configuration" - does_pattern_exists_in_file $FILE "^$PATTERN[[:space:]]" + ok "$FILE exists, checking configuration" + does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]" if [ $FNRET != 0 ]; then - crit "$PATTERN not present in $FILE" + crit "$PATTERN is not present in $FILE" else - ok "$PATTERN present in $FILE" + ok "$PATTERN is present in $FILE" fi fi } @@ -38,14 +38,14 @@ apply () { warn "$FILE does not exist, creating it" touch $FILE else - ok "$FILE exist" + ok "$FILE exists" fi - does_pattern_exists_in_file $FILE "^$PATTERN[[:space:]]" + does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]" if [ $FNRET != 0 ]; then - warn "$PATTERN not present in $FILE, adding it" + warn "$PATTERN is not present in $FILE, adding it" add_end_of_file $FILE "$PATTERN = $VALUE" else - ok "$PATTERN present in $FILE" + ok "$PATTERN is present in $FILE" fi } diff --git a/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh index 5a8cbc0..4dda28b 100755 --- a/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh +++ b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh @@ -20,17 +20,17 @@ audit () { if [ $FNRET != 0 ]; then crit "$FILE does not exist" else - ok "$FILE exist, checking configuration" + ok "$FILE exists, checking configuration" for AUDIT_OPTION in $OPTIONS; do AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET != 0 ]; then - crit "$PATTERN not present in $FILE" + crit "$PATTERN is not present in $FILE" else - ok "$PATTERN present in $FILE" + ok "$PATTERN is present in $FILE" fi done fi @@ -43,17 +43,17 @@ apply () { warn "$FILE does not exist, creating it" touch $FILE else - ok "$FILE exist" + ok "$FILE exists" fi for AUDIT_OPTION in $OPTIONS; do AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET != 0 ]; then - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$AUDIT_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$AUDIT_PARAM" if [ $FNRET != 0 ]; then info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" @@ -62,7 +62,7 @@ apply () { replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" fi else - ok "$PATTERN present in $FILE" + ok "$PATTERN is present in $FILE" fi done } diff --git a/bin/hardening/8.1.1.3_keep_all_audit_logs.sh b/bin/hardening/8.1.1.3_keep_all_audit_logs.sh index 5ff83e5..94521da 100755 --- a/bin/hardening/8.1.1.3_keep_all_audit_logs.sh +++ b/bin/hardening/8.1.1.3_keep_all_audit_logs.sh @@ -20,17 +20,17 @@ audit () { if [ $FNRET != 0 ]; then crit "$FILE does not exist" else - ok "$FILE exist, checking configuration" + ok "$FILE exists, checking configuration" for AUDIT_OPTION in $OPTIONS; do AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET != 0 ]; then - crit "$PATTERN not present in $FILE" + crit "$PATTERN is not present in $FILE" else - ok "$PATTERN present in $FILE" + ok "$PATTERN is present in $FILE" fi done fi @@ -43,17 +43,17 @@ apply () { warn "$FILE does not exist, creating it" touch $FILE else - ok "$FILE exist" + ok "$FILE exists" fi for AUDIT_OPTION in $OPTIONS; do AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET != 0 ]; then - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$AUDIT_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$AUDIT_PARAM" if [ $FNRET != 0 ]; then info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" @@ -62,7 +62,7 @@ apply () { replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" fi else - ok "$PATTERN present in $FILE" + ok "$PATTERN is present in $FILE" fi done } diff --git a/bin/hardening/8.1.10_record_dac_edit.sh b/bin/hardening/8.1.10_record_dac_edit.sh index ffa8b2e..000abad 100755 --- a/bin/hardening/8.1.10_record_dac_edit.sh +++ b/bin/hardening/8.1.10_record_dac_edit.sh @@ -23,12 +23,12 @@ FILE='/etc/audit/audit.rules' audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } @@ -37,14 +37,14 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } diff --git a/bin/hardening/8.1.11_record_failed_access_file.sh b/bin/hardening/8.1.11_record_failed_access_file.sh index 1e81ec5..a0ab3bf 100755 --- a/bin/hardening/8.1.11_record_failed_access_file.sh +++ b/bin/hardening/8.1.11_record_failed_access_file.sh @@ -21,12 +21,12 @@ FILE='/etc/audit/audit.rules' audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } @@ -35,14 +35,14 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } diff --git a/bin/hardening/8.1.12_record_privileged_commands.sh b/bin/hardening/8.1.12_record_privileged_commands.sh index 3888f9b..804eff0 100755 --- a/bin/hardening/8.1.12_record_privileged_commands.sh +++ b/bin/hardening/8.1.12_record_privileged_commands.sh @@ -21,12 +21,12 @@ FILE='/etc/audit/audit.rules' audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } @@ -35,14 +35,14 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } diff --git a/bin/hardening/8.1.13_record_successful_mount.sh b/bin/hardening/8.1.13_record_successful_mount.sh index 9efa734..cf2d7ae 100755 --- a/bin/hardening/8.1.13_record_successful_mount.sh +++ b/bin/hardening/8.1.13_record_successful_mount.sh @@ -19,12 +19,12 @@ FILE='/etc/audit/audit.rules' audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } @@ -33,14 +33,14 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } diff --git a/bin/hardening/8.1.14_record_file_deletions.sh b/bin/hardening/8.1.14_record_file_deletions.sh index 31fb0ef..f3012d7 100755 --- a/bin/hardening/8.1.14_record_file_deletions.sh +++ b/bin/hardening/8.1.14_record_file_deletions.sh @@ -19,12 +19,12 @@ FILE='/etc/audit/audit.rules' audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } @@ -33,14 +33,14 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } diff --git a/bin/hardening/8.1.15_record_sudoers_edit.sh b/bin/hardening/8.1.15_record_sudoers_edit.sh index 6498a66..190b35e 100755 --- a/bin/hardening/8.1.15_record_sudoers_edit.sh +++ b/bin/hardening/8.1.15_record_sudoers_edit.sh @@ -19,12 +19,12 @@ FILE='/etc/audit/audit.rules' audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } @@ -33,14 +33,14 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } diff --git a/bin/hardening/8.1.16_record_sudo_usage.sh b/bin/hardening/8.1.16_record_sudo_usage.sh index c42b74b..f98c75e 100755 --- a/bin/hardening/8.1.16_record_sudo_usage.sh +++ b/bin/hardening/8.1.16_record_sudo_usage.sh @@ -18,12 +18,12 @@ FILE='/etc/audit/audit.rules' audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } @@ -32,14 +32,14 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } diff --git a/bin/hardening/8.1.17_record_kernel_modules.sh b/bin/hardening/8.1.17_record_kernel_modules.sh index ee524fb..9b01400 100755 --- a/bin/hardening/8.1.17_record_kernel_modules.sh +++ b/bin/hardening/8.1.17_record_kernel_modules.sh @@ -21,12 +21,12 @@ FILE='/etc/audit/audit.rules' audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } @@ -35,14 +35,14 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } diff --git a/bin/hardening/8.1.18_freeze_auditd_conf.sh b/bin/hardening/8.1.18_freeze_auditd_conf.sh index 2c29902..ce1686d 100755 --- a/bin/hardening/8.1.18_freeze_auditd_conf.sh +++ b/bin/hardening/8.1.18_freeze_auditd_conf.sh @@ -18,12 +18,12 @@ FILE='/etc/audit/audit.rules' audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } @@ -32,14 +32,14 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } diff --git a/bin/hardening/8.1.3_audit_bootloader.sh b/bin/hardening/8.1.3_audit_bootloader.sh index 523e687..b477718 100755 --- a/bin/hardening/8.1.3_audit_bootloader.sh +++ b/bin/hardening/8.1.3_audit_bootloader.sh @@ -20,17 +20,17 @@ audit () { if [ $FNRET != 0 ]; then crit "$FILE does not exist" else - ok "$FILE exist, checking configuration" + ok "$FILE exists, checking configuration" for GRUB_OPTION in $OPTIONS; do GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) PATTERN="^$GRUB_PARAM=$GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET != 0 ]; then - crit "$PATTERN not present in $FILE" + crit "$PATTERN is not present in $FILE" else - ok "$PATTERN present in $FILE" + ok "$PATTERN is present in $FILE" fi done fi @@ -43,17 +43,17 @@ apply () { warn "$FILE does not exist, creating it" touch $FILE else - ok "$FILE exist" + ok "$FILE exists" fi for GRUB_OPTION in $OPTIONS; do GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) debug "$GRUB_PARAM should be set to $GRUB_VALUE" PATTERN="^$GRUB_PARAM=$GRUB_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET != 0 ]; then - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$GRUB_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$GRUB_PARAM" if [ $FNRET != 0 ]; then info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end" add_end_of_file $FILE "$GRUB_PARAM = $GRUB_VALUE" @@ -62,7 +62,7 @@ apply () { replace_in_file $FILE "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE" fi else - ok "$PATTERN present in $FILE" + ok "$PATTERN is present in $FILE" fi done } diff --git a/bin/hardening/8.1.4_record_date_time_edit.sh b/bin/hardening/8.1.4_record_date_time_edit.sh index af4625d..0ca5c76 100755 --- a/bin/hardening/8.1.4_record_date_time_edit.sh +++ b/bin/hardening/8.1.4_record_date_time_edit.sh @@ -22,12 +22,12 @@ FILE='/etc/audit/audit.rules' audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } @@ -36,14 +36,14 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } diff --git a/bin/hardening/8.1.5_record_user_group_edit.sh b/bin/hardening/8.1.5_record_user_group_edit.sh index 46b0698..7660c2d 100755 --- a/bin/hardening/8.1.5_record_user_group_edit.sh +++ b/bin/hardening/8.1.5_record_user_group_edit.sh @@ -22,12 +22,12 @@ FILE='/etc/audit/audit.rules' audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } @@ -36,14 +36,14 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } diff --git a/bin/hardening/8.1.6_record_network_edit.sh b/bin/hardening/8.1.6_record_network_edit.sh index 6589d33..ebf4bc2 100755 --- a/bin/hardening/8.1.6_record_network_edit.sh +++ b/bin/hardening/8.1.6_record_network_edit.sh @@ -23,12 +23,12 @@ FILE='/etc/audit/audit.rules' audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } @@ -37,14 +37,14 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } diff --git a/bin/hardening/8.1.7_record_mac_edit.sh b/bin/hardening/8.1.7_record_mac_edit.sh index 71a6a1b..7c9350b 100755 --- a/bin/hardening/8.1.7_record_mac_edit.sh +++ b/bin/hardening/8.1.7_record_mac_edit.sh @@ -18,12 +18,12 @@ FILE='/etc/audit/audit.rules' audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } @@ -32,14 +32,14 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } diff --git a/bin/hardening/8.1.8_record_login_logout.sh b/bin/hardening/8.1.8_record_login_logout.sh index e64e425..ed52837 100755 --- a/bin/hardening/8.1.8_record_login_logout.sh +++ b/bin/hardening/8.1.8_record_login_logout.sh @@ -20,12 +20,12 @@ FILE='/etc/audit/audit.rules' audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } @@ -34,14 +34,14 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } diff --git a/bin/hardening/8.1.9_record_session_init.sh b/bin/hardening/8.1.9_record_session_init.sh index 81281e8..29a42b3 100755 --- a/bin/hardening/8.1.9_record_session_init.sh +++ b/bin/hardening/8.1.9_record_session_init.sh @@ -20,12 +20,12 @@ FILE='/etc/audit/audit.rules' audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } @@ -34,14 +34,14 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE must be in file $FILE" - does_pattern_exists_in_file $FILE $AUDIT_VALUE + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE $AUDIT_VALUE if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE eval $(pkill -HUP -P 1 auditd) else - ok "$AUDIT_VALUE present in $FILE" + ok "$AUDIT_VALUE is present in $FILE" fi done } diff --git a/bin/hardening/8.2.4_set_logfile_perm.sh b/bin/hardening/8.2.4_set_logfile_perm.sh index 85e864a..b4c1aff 100755 --- a/bin/hardening/8.2.4_set_logfile_perm.sh +++ b/bin/hardening/8.2.4_set_logfile_perm.sh @@ -27,7 +27,7 @@ audit () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - crit "$FILE is not $USER:$GROUP ownership set" + crit "$FILE ownership was not set to $USER:$GROUP" fi has_file_correct_permissions $FILE $PERMISSIONS if [ $FNRET = 0 ]; then @@ -51,7 +51,7 @@ apply () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - warn "$FILE is not $USER:$GROUP ownership set" + warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi has_file_correct_permissions $FILE $PERMISSIONS diff --git a/bin/hardening/8.2.5_syslog-ng_remote_host.sh b/bin/hardening/8.2.5_syslog-ng_remote_host.sh index 5950abe..8aeb628 100755 --- a/bin/hardening/8.2.5_syslog-ng_remote_host.sh +++ b/bin/hardening/8.2.5_syslog-ng_remote_host.sh @@ -16,22 +16,22 @@ PATTERN='^destination.*(tcp|udp)[[:space:]]*\([[:space:]]*\".*\"[[:space:]]*\)' # This function will be called if the script status is on enabled / audit mode audit () { FILES="$SYSLOG_BASEDIR/syslog-ng.conf $SYSLOG_BASEDIR/conf.d/*" - does_pattern_exists_in_file "$FILES" "$PATTERN" + does_pattern_exist_in_file "$FILES" "$PATTERN" if [ $FNRET != 0 ]; then - crit "$PATTERN not present in $FILES" + crit "$PATTERN is not present in $FILES" else - ok "$PATTERN present in $FILES" + ok "$PATTERN is present in $FILES" fi } # This function will be called if the script status is on enabled mode apply () { FILES="$SYSLOG_BASEDIR/syslog-ng.conf $SYSLOG_BASEDIR/conf.d/*" - does_pattern_exists_in_file "$FILES" "$PATTERN" + does_pattern_exist_in_file "$FILES" "$PATTERN" if [ $FNRET != 0 ]; then - crit "$PATTERN not present in $FILES, please set a remote host to send your logs" + crit "$PATTERN is not present in $FILES, please set a remote host to send your logs" else - ok "$PATTERN present in $FILES" + ok "$PATTERN is present in $FILES" fi } diff --git a/bin/hardening/8.3.2_tripwire_cron.sh b/bin/hardening/8.3.2_tripwire_cron.sh index 36aef43..eeb9c49 100755 --- a/bin/hardening/8.3.2_tripwire_cron.sh +++ b/bin/hardening/8.3.2_tripwire_cron.sh @@ -16,28 +16,28 @@ PATTERN='tripwire --check' # This function will be called if the script status is on enabled / audit mode audit () { - does_pattern_exists_in_file "$FILES" "$PATTERN" + does_pattern_exist_in_file "$FILES" "$PATTERN" if [ $FNRET != 0 ]; then - crit "$PATTERN not present in $FILES" + crit "$PATTERN is not present in $FILES" else - ok "$PATTERN present in $FILES" - fi + ok "$PATTERN is present in $FILES" + fi } # This function will be called if the script status is on enabled mode apply () { - does_pattern_exists_in_file "$FILES" "$PATTERN" + does_pattern_exist_in_file "$FILES" "$PATTERN" if [ $FNRET != 0 ]; then - warn "$PATTERN not present in $FILES, setting tripwire cron" - echo "0 10 * * * root /usr/sbin/tripwire --check > /dev/shm/tripwire_check 2>&1 " > /etc/cron.d/CIS_8.3.2_tripwire + warn "$PATTERN is not present in $FILES, setting tripwire cron" + echo "0 10 * * * root /usr/sbin/tripwire --check > /dev/shm/tripwire_check 2>&1 " > /etc/cron.d/CIS_8.3.2_tripwire else - ok "$PATTERN present in $FILES" + ok "$PATTERN is present in $FILES" fi } # This function will check config parameters required check_config() { - : + : } # Source Root Dir Parameter @@ -50,7 +50,7 @@ else echo "No CIS_ROOT_DIR variable, aborting" exit 128 fi -fi +fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then diff --git a/bin/hardening/9.1.2_crontab_perm_ownership.sh b/bin/hardening/9.1.2_crontab_perm_ownership.sh index 162a14d..ec101a2 100755 --- a/bin/hardening/9.1.2_crontab_perm_ownership.sh +++ b/bin/hardening/9.1.2_crontab_perm_ownership.sh @@ -22,7 +22,7 @@ audit () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - crit "$FILE is not $USER:$GROUP ownership set" + crit "$FILE ownership was not set to $USER:$GROUP" fi has_file_correct_permissions $FILE $PERMISSIONS if [ $FNRET = 0 ]; then @@ -43,7 +43,7 @@ apply () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - warn "$FILE is not $USER:$GROUP ownership set" + warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi has_file_correct_permissions $FILE $PERMISSIONS diff --git a/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh b/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh index cb6e4d7..a31a748 100755 --- a/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh +++ b/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh @@ -22,7 +22,7 @@ audit () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - crit "$FILE is not $USER:$GROUP ownership set" + crit "$FILE ownership was not set to $USER:$GROUP" fi has_file_correct_permissions $FILE $PERMISSIONS if [ $FNRET = 0 ]; then @@ -43,7 +43,7 @@ apply () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - warn "$FILE is not $USER:$GROUP ownership set" + warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi has_file_correct_permissions $FILE $PERMISSIONS diff --git a/bin/hardening/9.1.4_cron_daily_perm_ownership.sh b/bin/hardening/9.1.4_cron_daily_perm_ownership.sh index 379848e..8e85297 100755 --- a/bin/hardening/9.1.4_cron_daily_perm_ownership.sh +++ b/bin/hardening/9.1.4_cron_daily_perm_ownership.sh @@ -22,7 +22,7 @@ audit () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - crit "$FILE is not $USER:$GROUP ownership set" + crit "$FILE ownership was not set to $USER:$GROUP" fi has_file_correct_permissions $FILE $PERMISSIONS if [ $FNRET = 0 ]; then @@ -43,7 +43,7 @@ apply () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - warn "$FILE is not $USER:$GROUP ownership set" + warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi has_file_correct_permissions $FILE $PERMISSIONS diff --git a/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh b/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh index c9c89da..732935a 100755 --- a/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh +++ b/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh @@ -22,7 +22,7 @@ audit () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - crit "$FILE is not $USER:$GROUP ownership set" + crit "$FILE ownership was not set to $USER:$GROUP" fi has_file_correct_permissions $FILE $PERMISSIONS if [ $FNRET = 0 ]; then @@ -43,7 +43,7 @@ apply () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - warn "$FILE is not $USER:$GROUP ownership set" + warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi has_file_correct_permissions $FILE $PERMISSIONS diff --git a/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh b/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh index cfdc8ce..1568433 100755 --- a/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh +++ b/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh @@ -22,7 +22,7 @@ audit () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - crit "$FILE is not $USER:$GROUP ownership set" + crit "$FILE ownership was not set to $USER:$GROUP" fi has_file_correct_permissions $FILE $PERMISSIONS if [ $FNRET = 0 ]; then @@ -43,7 +43,7 @@ apply () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - warn "$FILE is not $USER:$GROUP ownership set" + warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi has_file_correct_permissions $FILE $PERMISSIONS diff --git a/bin/hardening/9.1.7_cron_d_perm_ownership.sh b/bin/hardening/9.1.7_cron_d_perm_ownership.sh index ffb9a68..3c8878a 100755 --- a/bin/hardening/9.1.7_cron_d_perm_ownership.sh +++ b/bin/hardening/9.1.7_cron_d_perm_ownership.sh @@ -22,7 +22,7 @@ audit () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - crit "$FILE is not $USER:$GROUP ownership set" + crit "$FILE ownership was not set to $USER:$GROUP" fi has_file_correct_permissions $FILE $PERMISSIONS if [ $FNRET = 0 ]; then @@ -43,7 +43,7 @@ apply () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - warn "$FILE is not $USER:$GROUP ownership set" + warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi has_file_correct_permissions $FILE $PERMISSIONS diff --git a/bin/hardening/9.1.8_cron_users.sh b/bin/hardening/9.1.8_cron_users.sh index 6d63e9f..248ca75 100755 --- a/bin/hardening/9.1.8_cron_users.sh +++ b/bin/hardening/9.1.8_cron_users.sh @@ -36,7 +36,7 @@ audit () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - crit "$FILE is not $USER:$GROUP ownership set" + crit "$FILE ownership was not set to $USER:$GROUP" fi has_file_correct_permissions $FILE $PERMISSIONS if [ $FNRET = 0 ]; then @@ -69,7 +69,7 @@ apply () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - warn "$FILE is not $USER:$GROUP ownership set" + warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi has_file_correct_permissions $FILE $PERMISSIONS diff --git a/bin/hardening/9.2.1_enable_cracklib.sh b/bin/hardening/9.2.1_enable_cracklib.sh index b860e5c..b1caad3 100755 --- a/bin/hardening/9.2.1_enable_cracklib.sh +++ b/bin/hardening/9.2.1_enable_cracklib.sh @@ -22,7 +22,7 @@ audit () { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -40,7 +40,7 @@ apply () { crit "$PACKAGE is absent, installing it" apt_install $PACKAGE fi - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/9.2.2_enable_lockout_failed_password.sh b/bin/hardening/9.2.2_enable_lockout_failed_password.sh index f43fba8..2f7e70d 100755 --- a/bin/hardening/9.2.2_enable_lockout_failed_password.sh +++ b/bin/hardening/9.2.2_enable_lockout_failed_password.sh @@ -22,7 +22,7 @@ audit () { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -40,7 +40,7 @@ apply () { crit "$PACKAGE is absent, installing it" apt_install $PACKAGE fi - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/9.2.3_limit_password_reuse.sh b/bin/hardening/9.2.3_limit_password_reuse.sh index e6ef225..f8bfa51 100755 --- a/bin/hardening/9.2.3_limit_password_reuse.sh +++ b/bin/hardening/9.2.3_limit_password_reuse.sh @@ -22,7 +22,7 @@ audit () { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -40,7 +40,7 @@ apply () { crit "$PACKAGE is absent, installing it" apt_install $PACKAGE fi - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/9.3.10_disable_sshd_setenv.sh b/bin/hardening/9.3.10_disable_sshd_setenv.sh index 1434f8d..85c5da7 100755 --- a/bin/hardening/9.3.10_disable_sshd_setenv.sh +++ b/bin/hardening/9.3.10_disable_sshd_setenv.sh @@ -26,7 +26,7 @@ audit () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,12 +49,12 @@ apply () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$SSH_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" if [ $FNRET != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/9.3.11_sshd_ciphers.sh b/bin/hardening/9.3.11_sshd_ciphers.sh index 3d6f02c..e7bd221 100755 --- a/bin/hardening/9.3.11_sshd_ciphers.sh +++ b/bin/hardening/9.3.11_sshd_ciphers.sh @@ -26,7 +26,7 @@ audit () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,12 +49,12 @@ apply () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$SSH_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" if [ $FNRET != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/9.3.12_sshd_idle_timeout.sh b/bin/hardening/9.3.12_sshd_idle_timeout.sh index f6ec735..a5c9a30 100755 --- a/bin/hardening/9.3.12_sshd_idle_timeout.sh +++ b/bin/hardening/9.3.12_sshd_idle_timeout.sh @@ -26,7 +26,7 @@ audit () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,12 +49,12 @@ apply () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$SSH_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" if [ $FNRET != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/9.3.13_sshd_limit_access.sh b/bin/hardening/9.3.13_sshd_limit_access.sh index 7852edb..91cae4a 100755 --- a/bin/hardening/9.3.13_sshd_limit_access.sh +++ b/bin/hardening/9.3.13_sshd_limit_access.sh @@ -27,7 +27,7 @@ audit () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -51,12 +51,12 @@ apply () { SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$SSH_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" if [ $FNRET != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/9.3.14_ssh_banner.sh b/bin/hardening/9.3.14_ssh_banner.sh index 60e1c78..46e5278 100755 --- a/bin/hardening/9.3.14_ssh_banner.sh +++ b/bin/hardening/9.3.14_ssh_banner.sh @@ -25,7 +25,7 @@ audit () { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) PATTERN="^$SSH_PARAM[[:space:]]*" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -48,12 +48,12 @@ apply () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$SSH_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" if [ $FNRET != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/9.3.1_sshd_protocol.sh b/bin/hardening/9.3.1_sshd_protocol.sh index 20f716a..6dd85dc 100755 --- a/bin/hardening/9.3.1_sshd_protocol.sh +++ b/bin/hardening/9.3.1_sshd_protocol.sh @@ -26,7 +26,7 @@ audit () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,12 +49,12 @@ apply () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$SSH_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" if [ $FNRET != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/9.3.2_sshd_loglevel.sh b/bin/hardening/9.3.2_sshd_loglevel.sh index 44579a0..eb7bb48 100755 --- a/bin/hardening/9.3.2_sshd_loglevel.sh +++ b/bin/hardening/9.3.2_sshd_loglevel.sh @@ -26,7 +26,7 @@ audit () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,12 +49,12 @@ apply () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$SSH_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" if [ $FNRET != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh b/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh index fff7667..0e702a8 100755 --- a/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh +++ b/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh @@ -22,7 +22,7 @@ audit () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - crit "$FILE is not $USER:$GROUP ownership set" + crit "$FILE ownership was not set to $USER:$GROUP" fi has_file_correct_permissions $FILE $PERMISSIONS if [ $FNRET = 0 ]; then @@ -43,7 +43,7 @@ apply () { if [ $FNRET = 0 ]; then ok "$FILE has correct ownership" else - warn "$FILE is not $USER:$GROUP ownership set" + warn "fixing $FILE ownership to $USER:$GROUP" chown $USER:$GROUP $FILE fi has_file_correct_permissions $FILE $PERMISSIONS diff --git a/bin/hardening/9.3.4_disable_x11_forwarding.sh b/bin/hardening/9.3.4_disable_x11_forwarding.sh index 9ec1340..c0857ef 100755 --- a/bin/hardening/9.3.4_disable_x11_forwarding.sh +++ b/bin/hardening/9.3.4_disable_x11_forwarding.sh @@ -26,7 +26,7 @@ audit () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,12 +49,12 @@ apply () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$SSH_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" if [ $FNRET != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/9.3.5_sshd_maxauthtries.sh b/bin/hardening/9.3.5_sshd_maxauthtries.sh index 832e0e9..1780873 100755 --- a/bin/hardening/9.3.5_sshd_maxauthtries.sh +++ b/bin/hardening/9.3.5_sshd_maxauthtries.sh @@ -26,7 +26,7 @@ audit () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,12 +49,12 @@ apply () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$SSH_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" if [ $FNRET != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh b/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh index 00fbde0..030b581 100755 --- a/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh +++ b/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh @@ -26,7 +26,7 @@ audit () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,12 +49,12 @@ apply () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$SSH_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" if [ $FNRET != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh b/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh index d4dff06..d3bcf0f 100755 --- a/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh +++ b/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh @@ -26,7 +26,7 @@ audit () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,12 +49,12 @@ apply () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$SSH_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" if [ $FNRET != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/9.3.8_disable_root_login.sh b/bin/hardening/9.3.8_disable_root_login.sh index 13539c1..22ab96b 100755 --- a/bin/hardening/9.3.8_disable_root_login.sh +++ b/bin/hardening/9.3.8_disable_root_login.sh @@ -26,7 +26,7 @@ audit () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,12 +49,12 @@ apply () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$SSH_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" if [ $FNRET != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh b/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh index 0a80f2a..32e3388 100755 --- a/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh +++ b/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh @@ -26,7 +26,7 @@ audit () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -49,12 +49,12 @@ apply () { SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exists_in_file $FILE "$PATTERN" + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN not present in $FILE, adding it" - does_pattern_exists_in_file $FILE "^$SSH_PARAM" + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" if [ $FNRET != 0 ]; then add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else diff --git a/bin/hardening/9.5_restrict_su.sh b/bin/hardening/9.5_restrict_su.sh index c29f5b0..1b7d583 100755 --- a/bin/hardening/9.5_restrict_su.sh +++ b/bin/hardening/9.5_restrict_su.sh @@ -22,7 +22,7 @@ audit () { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -40,7 +40,7 @@ apply () { crit "$PACKAGE is absent, installing it" apt_install $PACKAGE fi - does_pattern_exists_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE $PATTERN if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else diff --git a/bin/hardening/99.1_timeout_tty.sh b/bin/hardening/99.1_timeout_tty.sh index 66f2678..1c39958 100755 --- a/bin/hardening/99.1_timeout_tty.sh +++ b/bin/hardening/99.1_timeout_tty.sh @@ -19,26 +19,26 @@ FILE='/etc/profile.d/CIS_99.1_timeout.sh' # This function will be called if the script status is on enabled / audit mode audit () { - does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN" if [ $FNRET != 0 ]; then - crit "$PATTERN not present in $FILES_TO_SEARCH" + crit "$PATTERN is not present in $FILES_TO_SEARCH" else - ok "$PATTERN present in $FILES_TO_SEARCH" + ok "$PATTERN is present in $FILES_TO_SEARCH" fi } # This function will be called if the script status is on enabled mode apply () { - does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN" if [ $FNRET != 0 ]; then - warn "$PATTERN not present in $FILES_TO_SEARCH" + warn "$PATTERN is not present in $FILES_TO_SEARCH" touch $FILE chmod 644 $FILE add_end_of_file $FILE "$PATTERN$VALUE" add_end_of_file $FILE "readonly TMOUT" add_end_of_file $FILE "export TMOUT" else - ok "$PATTERN present in $FILES_TO_SEARCH" + ok "$PATTERN is present in $FILES_TO_SEARCH" fi } diff --git a/bin/hardening/99.2_disable_usb_devices.sh b/bin/hardening/99.2_disable_usb_devices.sh index 27e455d..32ea621 100755 --- a/bin/hardening/99.2_disable_usb_devices.sh +++ b/bin/hardening/99.2_disable_usb_devices.sh @@ -18,19 +18,19 @@ FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh' # This function will be called if the script status is on enabled / audit mode audit () { - does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN" if [ $FNRET != 0 ]; then - crit "$PATTERN not present in $FILES_TO_SEARCH" + crit "$PATTERN is not present in $FILES_TO_SEARCH" else - ok "$PATTERN present in $FILES_TO_SEARCH" + ok "$PATTERN is present in $FILES_TO_SEARCH" fi } # This function will be called if the script status is on enabled mode apply () { - does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN" if [ $FNRET != 0 ]; then - warn "$PATTERN not present in $FILES_TO_SEARCH" + warn "$PATTERN is not present in $FILES_TO_SEARCH" touch $FILE chmod 644 $FILE add_end_of_file $FILE ' @@ -47,7 +47,7 @@ ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authoriz ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1" ' else - ok "$PATTERN present in $FILES_TO_SEARCH" + ok "$PATTERN is present in $FILES_TO_SEARCH" fi } diff --git a/debian/changelog b/debian/changelog index 60f44e1..001975b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +cis-hardening (1.0-8) wheezy; urgency=low + + * phrasing reworked all over the place + * added debian dependencies bash and bc + + -- Kevin Tanguy Tue, 26 Apr 2016 10:26:18 +0200 + cis-hardening (1.0-7) wheezy; urgency=low * Fixed 6.15 netstat analysis diff --git a/debian/control b/debian/control index f373d57..3f3baf0 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/ovh/debian-cis/ Package: cis-hardening Architecture: all -Depends: ${shlibs:Depends}, ${misc:Depends} +Depends: ${shlibs:Depends}, ${misc:Depends}, bash, bc Description: Suite of configurable scripts to audit or harden a Debian Wheezy. Modular Debian 7 security hardening scripts based on cisecurity.org ⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://ovh.com⟩ to diff --git a/lib/utils.sh b/lib/utils.sh index f459932..abd9e72 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -48,7 +48,7 @@ set_sysctl_param() { # Dmesg # -does_pattern_exists_in_dmesg() { +does_pattern_exist_in_dmesg() { local PATTERN=$1 if $(dmesg | grep -qE "$PATTERN"); then FNRET=0 @@ -95,7 +95,7 @@ has_file_correct_permissions() { fi } -does_pattern_exists_in_file() { +does_pattern_exist_in_file() { local FILE=$1 local PATTERN=$2