mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-21 21:17:00 +01:00
Check that package are installed before launching check (#69)
* FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed * FIX(2.2.15): check package install * FIX(4.2.x): check package install * FIX(5.1.x): check crontab files exist * FIX(5.2.1): check package install * FIX(99.3.3.x): check conf file exist * Remove useless SUDO_CMD * Deal with non existant /run/shm * Replace exit code 128 by exit code 2 fix #65 Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
This commit is contained in:
parent
f8ac58700d
commit
1c51e4cec4
@ -24,7 +24,11 @@ OPTION="nodev"
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
PARTITION=$(readlink -e "$PARTITION")
|
||||
if [ -e "$PARTITION" ]; then
|
||||
PARTITION=$(readlink -e "$PARTITION")
|
||||
else
|
||||
PARTITION="/dev/shm"
|
||||
fi
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
|
@ -24,7 +24,11 @@ OPTION="nosuid"
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
PARTITION=$(readlink -e "$PARTITION")
|
||||
if [ -e "$PARTITION" ]; then
|
||||
PARTITION=$(readlink -e "$PARTITION")
|
||||
else
|
||||
PARTITION="/dev/shm"
|
||||
fi
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
|
@ -24,7 +24,11 @@ OPTION="noexec"
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
PARTITION=$(readlink -e "$PARTITION")
|
||||
if [ -e "$PARTITION" ]; then
|
||||
PARTITION=$(readlink -e "$PARTITION")
|
||||
else
|
||||
PARTITION="/dev/shm"
|
||||
fi
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
|
@ -66,22 +66,22 @@ check_config() {
|
||||
is_pkg_installed "grub-pc"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "Grub is not installed, not handling configuration"
|
||||
exit 128
|
||||
exit 2
|
||||
fi
|
||||
does_user_exist "$USER"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$USER does not exist"
|
||||
exit 128
|
||||
exit 2
|
||||
fi
|
||||
does_group_exist "$GROUP"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$GROUP does not exist"
|
||||
exit 128
|
||||
exit 2
|
||||
fi
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
exit 2
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -51,7 +51,6 @@ apply() {
|
||||
else
|
||||
ok "$PWD_PATTERN is present in $FILE"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -59,11 +58,11 @@ check_config() {
|
||||
is_pkg_installed "grub-pc"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "grub-pc is not installed, not handling configuration"
|
||||
exit 128
|
||||
exit 2
|
||||
fi
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
exit 2
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -38,7 +38,6 @@ apply() {
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
@ -35,31 +35,39 @@ nx_supported_and_enabled() {
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_pattern_exist_in_dmesg "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
nx_supported_and_enabled
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
|
||||
else
|
||||
ok "NX is supported and enabled"
|
||||
fi
|
||||
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||
ok "Container detected, cannot read dmesg!"
|
||||
else
|
||||
ok "$PATTERN is present in dmesg"
|
||||
does_pattern_exist_in_dmesg "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
nx_supported_and_enabled
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
|
||||
else
|
||||
ok "NX is supported and enabled"
|
||||
fi
|
||||
else
|
||||
ok "$PATTERN is present in dmesg"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_pattern_exist_in_dmesg "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
nx_supported_and_enabled
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
|
||||
else
|
||||
ok "NX is supported and enabled"
|
||||
fi
|
||||
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||
ok "Container detected, cannot read dmesg!"
|
||||
else
|
||||
ok "$PATTERN is present in dmesg"
|
||||
does_pattern_exist_in_dmesg "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
nx_supported_and_enabled
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
|
||||
else
|
||||
ok "NX is supported and enabled"
|
||||
fi
|
||||
else
|
||||
ok "$PATTERN is present in dmesg"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -21,32 +21,46 @@ PACKAGES='apparmor apparmor-utils'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
ERROR=0
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is absent!"
|
||||
ERROR=1
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
done
|
||||
|
||||
ERROR=0
|
||||
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
|
||||
|
||||
# define custom IFS and save default one
|
||||
d_IFS=$IFS
|
||||
c_IFS=$'\n'
|
||||
IFS=$c_IFS
|
||||
for line in $RESULT; do
|
||||
if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
|
||||
crit "$line is not configured"
|
||||
ERROR=1
|
||||
fi
|
||||
done
|
||||
IFS=$d_IFS
|
||||
if [ "$ERROR" = 0 ]; then
|
||||
ok "$PACKAGES are configured"
|
||||
is_pkg_installed "grub-pc"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||
ok "Grub is not installed in container"
|
||||
else
|
||||
warn "Grub is not installed"
|
||||
exit 128
|
||||
fi
|
||||
else
|
||||
ERROR=0
|
||||
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
|
||||
|
||||
# define custom IFS and save default one
|
||||
d_IFS=$IFS
|
||||
c_IFS=$'\n'
|
||||
IFS=$c_IFS
|
||||
for line in $RESULT; do
|
||||
if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
|
||||
crit "$line is not configured"
|
||||
ERROR=1
|
||||
fi
|
||||
done
|
||||
IFS=$d_IFS
|
||||
if [ "$ERROR" = 0 ]; then
|
||||
ok "$PACKAGES are configured"
|
||||
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -62,26 +76,35 @@ apply() {
|
||||
fi
|
||||
done
|
||||
|
||||
ERROR=0
|
||||
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
|
||||
|
||||
# define custom IFS and save default one
|
||||
d_IFS=$IFS
|
||||
c_IFS=$'\n'
|
||||
IFS=$c_IFS
|
||||
for line in $RESULT; do
|
||||
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
|
||||
crit "$line is not configured"
|
||||
ERROR=1
|
||||
is_pkg_installed "grub-pc"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||
ok "Grub is not installed in container"
|
||||
else
|
||||
warn "You should use grub. Install it yourself"
|
||||
fi
|
||||
done
|
||||
IFS=$d_IFS
|
||||
|
||||
if [ $ERROR = 1 ]; then
|
||||
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
|
||||
$SUDO_CMD update-grub
|
||||
else
|
||||
ok "$PACKAGES are configured"
|
||||
ERROR=0
|
||||
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
|
||||
|
||||
# define custom IFS and save default one
|
||||
d_IFS=$IFS
|
||||
c_IFS=$'\n'
|
||||
IFS=$c_IFS
|
||||
for line in $RESULT; do
|
||||
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
|
||||
crit "$line is not configured"
|
||||
ERROR=1
|
||||
fi
|
||||
done
|
||||
IFS=$d_IFS
|
||||
|
||||
if [ $ERROR = 1 ]; then
|
||||
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
|
||||
$SUDO_CMD update-grub
|
||||
else
|
||||
ok "$PACKAGES are configured"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -21,22 +21,25 @@ PACKAGES='apparmor apparmor-utils'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
ERROR=0
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is absent!"
|
||||
ERROR=1
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
done
|
||||
if [ "$ERROR" = 0 ]; then
|
||||
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
|
||||
|
||||
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
|
||||
if [ -n "$RESULT_UNCONFINED" ]; then
|
||||
ok "No profiles are unconfined"
|
||||
|
||||
if [ -n "$RESULT_UNCONFINED" ]; then
|
||||
ok "No profiles are unconfined"
|
||||
|
||||
else
|
||||
crit "Some processes are unconfined while they have defined profile"
|
||||
else
|
||||
crit "Some processes are unconfined while they have defined profile"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -46,6 +49,7 @@ apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGES is absent!"
|
||||
apt_install "$PACKAGE"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
|
@ -21,28 +21,31 @@ PACKAGES='apparmor apparmor-utils'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
ERROR=0
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is absent!"
|
||||
ERROR=1
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
done
|
||||
if [ "$ERROR" = 0 ]; then
|
||||
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
|
||||
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
|
||||
|
||||
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
|
||||
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
|
||||
if [ -n "$RESULT_UNCONFINED" ]; then
|
||||
ok "No profiles are unconfined"
|
||||
else
|
||||
crit "Some processes are unconfined while they have defined profile"
|
||||
fi
|
||||
|
||||
if [ -n "$RESULT_UNCONFINED" ]; then
|
||||
ok "No profiles are unconfined"
|
||||
else
|
||||
crit "Some processes are unconfined while they have defined profile"
|
||||
fi
|
||||
|
||||
if [ -n "$RESULT_COMPLAIN" ]; then
|
||||
ok "No profiles are in complain mode"
|
||||
else
|
||||
crit "Some processes are in complain mode"
|
||||
if [ -n "$RESULT_COMPLAIN" ]; then
|
||||
ok "No profiles are in complain mode"
|
||||
else
|
||||
crit "Some processes are in complain mode"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -52,6 +55,7 @@ apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is absent!"
|
||||
apt_install "$PACKAGE"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
|
@ -21,39 +21,50 @@ HARDENING_EXCEPTION=mail
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking netport ports opened"
|
||||
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
|
||||
RESULT=${RESULT:-}
|
||||
debug "Result is $RESULT"
|
||||
if [ -z "$RESULT" ]; then
|
||||
ok "Nothing listens on 25 port, probably unix socket configured"
|
||||
is_pkg_installed net-tools
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "netsat not installed, cannot execute check"
|
||||
exit 2
|
||||
else
|
||||
info "Checking $RESULT"
|
||||
if grep -q "127.0.0.1" <<<"$RESULT"; then
|
||||
ok "MTA is configured to localhost only"
|
||||
info "Checking netport ports opened"
|
||||
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
|
||||
RESULT=${RESULT:-}
|
||||
debug "Result is $RESULT"
|
||||
if [ -z "$RESULT" ]; then
|
||||
ok "Nothing listens on 25 port, probably unix socket configured"
|
||||
else
|
||||
crit "MTA listens worldwide"
|
||||
info "Checking $RESULT"
|
||||
if grep -q "127.0.0.1" <<<"$RESULT"; then
|
||||
ok "MTA is configured to localhost only"
|
||||
else
|
||||
crit "MTA listens worldwide"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
info "Checking netport ports opened"
|
||||
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
|
||||
RESULT=${RESULT:-}
|
||||
debug "Result is $RESULT"
|
||||
if [ -z "$RESULT" ]; then
|
||||
ok "Nothing listens on 25 port, probably unix socket configured"
|
||||
is_pkg_installed net-tools
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "netsat not installed, cannot execute check"
|
||||
exit 2
|
||||
else
|
||||
info "Checking $RESULT"
|
||||
if grep -q "127.0.0.1" <<<"$RESULT"; then
|
||||
ok "MTA is configured to localhost only"
|
||||
info "Checking netport ports opened"
|
||||
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
|
||||
RESULT=${RESULT:-}
|
||||
debug "Result is $RESULT"
|
||||
if [ -z "$RESULT" ]; then
|
||||
ok "Nothing listens on 25 port, probably unix socket configured"
|
||||
else
|
||||
warn "MTA listens worldwide, correct this considering your MTA"
|
||||
info "Checking $RESULT"
|
||||
if grep -q "127.0.0.1" <<<"$RESULT"; then
|
||||
ok "MTA is configured to localhost only"
|
||||
else
|
||||
warn "MTA listens worldwide, correct this considering your MTA"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
@ -18,8 +18,7 @@ HARDENING_LEVEL=4
|
||||
DESCRIPTION="Collect use of privileged commands."
|
||||
|
||||
# Find all files with setuid or setgid set
|
||||
SUDO_CMD='sudo -n'
|
||||
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
|
||||
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
|
||||
awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
|
||||
FILE='/etc/audit/audit.rules'
|
||||
|
||||
|
@ -17,29 +17,40 @@ HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure syslog-ng service is activated."
|
||||
|
||||
PACKAGE='syslog-ng'
|
||||
SERVICE_NAME="syslog-ng"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if $SERVICE_NAME is enabled"
|
||||
is_service_enabled "$SERVICE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$SERVICE_NAME is enabled"
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
crit "$SERVICE_NAME is disabled"
|
||||
info "Checking if $SERVICE_NAME is enabled"
|
||||
is_service_enabled "$SERVICE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$SERVICE_NAME is enabled"
|
||||
else
|
||||
crit "$SERVICE_NAME is disabled"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
info "Checking if $SERVICE_NAME is enabled"
|
||||
is_service_enabled "$SERVICE_NAME"
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "Enabling $SERVICE_NAME"
|
||||
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
|
||||
update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
ok "$SERVICE_NAME is enabled"
|
||||
info "Checking if $SERVICE_NAME is enabled"
|
||||
is_service_enabled "$SERVICE_NAME"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "Enabling $SERVICE_NAME"
|
||||
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
|
||||
update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
|
||||
else
|
||||
ok "$SERVICE_NAME is enabled"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -19,6 +19,7 @@ DESCRIPTION="Create and set permissions on syslog-ng logfiles."
|
||||
|
||||
# Note: this is not exacly the same check as the one described in CIS PDF
|
||||
|
||||
PACKAGE='syslog-ng'
|
||||
PERMISSIONS=''
|
||||
USER=''
|
||||
GROUP=''
|
||||
@ -26,14 +27,71 @@ EXCEPTIONS=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
|
||||
for FILE in $FILES; do
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$FILE does not exist"
|
||||
else
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
|
||||
for FILE in $FILES; do
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$FILE does not exist"
|
||||
else
|
||||
FOUND_EXC=0
|
||||
if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
|
||||
debug "$FILE is found in exceptions"
|
||||
debug "Setting special user:group:perm"
|
||||
FOUND_EXC=1
|
||||
local user_bak="$USER"
|
||||
local group_bak="$GROUP"
|
||||
local perm_bak="$PERMISSIONS"
|
||||
USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
|
||||
GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
|
||||
PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership ($USER:$GROUP)"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions ($PERMISSIONS)"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
if [ "$FOUND_EXC" = 1 ]; then
|
||||
debug "Resetting user:group:perm"
|
||||
USER="$user_bak"
|
||||
GROUP="$group_bak"
|
||||
PERMISSIONS="$perm_bak"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
for FILE in $FILES; do
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
filedir=$(dirname "${FILE#/var/log/}")
|
||||
if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
|
||||
debug "Creating /var/log/$filedir for $FILE"
|
||||
debug "mkdir -p /var/log/$filedir"
|
||||
mkdir -p /var/log/"$filedir"
|
||||
fi
|
||||
touch "$FILE"
|
||||
fi
|
||||
FOUND_EXC=0
|
||||
if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
|
||||
if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
|
||||
debug "$FILE is found in exceptions"
|
||||
debug "Setting special user:group:perm"
|
||||
FOUND_EXC=1
|
||||
@ -46,15 +104,17 @@ audit() {
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership ($USER:$GROUP)"
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions ($PERMISSIONS)"
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
if [ "$FOUND_EXC" = 1 ]; then
|
||||
debug "Resetting user:group:perm"
|
||||
@ -62,57 +122,8 @@ audit() {
|
||||
GROUP="$group_bak"
|
||||
PERMISSIONS="$perm_bak"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for FILE in $FILES; do
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
filedir=$(dirname "${FILE#/var/log/}")
|
||||
if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
|
||||
debug "Creating /var/log/$filedir for $FILE"
|
||||
debug "mkdir -p /var/log/$filedir"
|
||||
mkdir -p /var/log/"$filedir"
|
||||
fi
|
||||
touch "$FILE"
|
||||
fi
|
||||
FOUND_EXC=0
|
||||
if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
|
||||
debug "$FILE is found in exceptions"
|
||||
debug "Setting special user:group:perm"
|
||||
FOUND_EXC=1
|
||||
local user_bak="$USER"
|
||||
local group_bak="$GROUP"
|
||||
local perm_bak="$PERMISSIONS"
|
||||
USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
|
||||
GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
|
||||
PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
if [ "$FOUND_EXC" = 1 ]; then
|
||||
debug "Resetting user:group:perm"
|
||||
USER="$user_bak"
|
||||
GROUP="$group_bak"
|
||||
PERMISSIONS="$perm_bak"
|
||||
fi
|
||||
done
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will create the config file for this check with default values
|
||||
|
@ -17,40 +17,52 @@ HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Configure syslog-ng to send logs to a remote log host."
|
||||
|
||||
PACKAGE='syslog-ng'
|
||||
|
||||
PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
FOUND=0
|
||||
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
|
||||
for FILE in $FILES; do
|
||||
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "$FOUND" = 1 ]; then
|
||||
ok "$PATTERN is present in $FILES"
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
crit "$PATTERN is not present in $FILES"
|
||||
FOUND=0
|
||||
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
|
||||
for FILE in $FILES; do
|
||||
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "$FOUND" = 1 ]; then
|
||||
ok "$PATTERN is present in $FILES"
|
||||
else
|
||||
crit "$PATTERN is not present in $FILES"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
FOUND=0
|
||||
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
|
||||
for FILE in $FILES; do
|
||||
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
if [ "$FOUND" = 1 ]; then
|
||||
ok "$PATTERN is present in $FILES"
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
|
||||
FOUND=0
|
||||
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
|
||||
for FILE in $FILES; do
|
||||
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
if [ "$FOUND" = 1 ]; then
|
||||
ok "$PATTERN is present in $FILES"
|
||||
else
|
||||
crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -17,64 +17,74 @@ HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
|
||||
|
||||
PACKAGE='syslog-ng'
|
||||
|
||||
REMOTE_HOST=""
|
||||
PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
FOUND=0
|
||||
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
|
||||
for FILE in $FILES; do
|
||||
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ "$REMOTE_HOST" ]]; then
|
||||
info "This is the remote host, checking that it only accepts logs from specified zone"
|
||||
if [ "$FOUND" = 1 ]; then
|
||||
ok "$PATTERN is present in $FILES"
|
||||
else
|
||||
crit "$PATTERN is not present in $FILES"
|
||||
fi
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
info "This is the not the remote host checking that it doesn't accept remote logs"
|
||||
if [ "$FOUND" = 1 ]; then
|
||||
crit "$PATTERN is present in $FILES"
|
||||
else
|
||||
ok "$PATTERN is not present in $FILES"
|
||||
fi
|
||||
FOUND=0
|
||||
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
|
||||
for FILE in $FILES; do
|
||||
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ "$REMOTE_HOST" ]]; then
|
||||
info "This is the remote host, checking that it only accepts logs from specified zone"
|
||||
if [ "$FOUND" = 1 ]; then
|
||||
ok "$PATTERN is present in $FILES"
|
||||
else
|
||||
crit "$PATTERN is not present in $FILES"
|
||||
fi
|
||||
else
|
||||
info "This is the not the remote host checking that it doesn't accept remote logs"
|
||||
if [ "$FOUND" = 1 ]; then
|
||||
crit "$PATTERN is present in $FILES"
|
||||
else
|
||||
ok "$PATTERN is not present in $FILES"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
FOUND=0
|
||||
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
|
||||
for FILE in $FILES; do
|
||||
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ "$REMOTE_HOST" ]]; then
|
||||
info "This is the remote host, checking that it only accepts logs from specified zone"
|
||||
if [ "$FOUND" = 1 ]; then
|
||||
ok "$PATTERN is present in $FILES"
|
||||
else
|
||||
crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
|
||||
fi
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
info "This is the not the remote host checking that it doesn't accept remote logs"
|
||||
if [ "$FOUND" = 1 ]; then
|
||||
warn "$PATTERN is present in $FILES, "
|
||||
else
|
||||
ok "$PATTERN is not present in $FILES"
|
||||
fi
|
||||
FOUND=0
|
||||
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
|
||||
for FILE in $FILES; do
|
||||
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ "$REMOTE_HOST" ]]; then
|
||||
info "This is the remote host, checking that it only accepts logs from specified zone"
|
||||
if [ "$FOUND" = 1 ]; then
|
||||
ok "$PATTERN is present in $FILES"
|
||||
else
|
||||
crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
|
||||
fi
|
||||
else
|
||||
info "This is the not the remote host checking that it doesn't accept remote logs"
|
||||
if [ "$FOUND" = 1 ]; then
|
||||
warn "$PATTERN is present in $FILES, "
|
||||
else
|
||||
ok "$PATTERN is not present in $FILES"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -27,18 +27,19 @@ audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -48,20 +49,21 @@ apply() {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -27,18 +27,19 @@ audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -48,20 +49,21 @@ apply() {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -27,18 +27,19 @@ audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -48,20 +49,21 @@ apply() {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -27,18 +27,19 @@ audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -48,20 +49,21 @@ apply() {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -27,18 +27,19 @@ audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -48,20 +49,21 @@ apply() {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -17,6 +17,7 @@ HARDENING_LEVEL=1
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config."
|
||||
|
||||
PACKAGE='openssh-server'
|
||||
FILE='/etc/ssh/sshd_config'
|
||||
PERMISSIONS='600'
|
||||
USER='root'
|
||||
@ -24,40 +25,50 @@ GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "$PACKAGE is not installed!"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_file_exist "$FILE"
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
ok "$PACKAGE is not installed"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown "$USER":"$GROUP" "$FILE"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -24,22 +24,36 @@ GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
ok "$FILE exist"
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
warn "You may want to fill it with allowed networks"
|
||||
else
|
||||
ok "$FILE exist"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
|
@ -24,22 +24,36 @@ GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
ok "$FILE exist"
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
warn "You may want to fill it with allowed networks"
|
||||
else
|
||||
ok "$FILE exist"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
|
Loading…
Reference in New Issue
Block a user