From 1c51e4cec4dcf9729c2b492a299c0c7c9791fcf4 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Thu, 25 Mar 2021 14:01:57 +0100 Subject: [PATCH] Check that package are installed before launching check (#69) * FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed * FIX(2.2.15): check package install * FIX(4.2.x): check package install * FIX(5.1.x): check crontab files exist * FIX(5.2.1): check package install * FIX(99.3.3.x): check conf file exist * Remove useless SUDO_CMD * Deal with non existant /run/shm * Replace exit code 128 by exit code 2 fix #65 Co-authored-by: GoldenKiwi --- bin/hardening/1.1.15_run_shm_nodev.sh | 6 +- bin/hardening/1.1.16_run_shm_nosuid.sh | 6 +- bin/hardening/1.1.17_run_shm_noexec.sh | 6 +- bin/hardening/1.5.1_bootloader_ownership.sh | 8 +- bin/hardening/1.5.2_bootloader_password.sh | 5 +- bin/hardening/1.5.3_root_password.sh | 1 - bin/hardening/1.6.1_enable_nx_support.sh | 44 +++--- bin/hardening/1.7.1.2_enable_apparmor.sh | 89 +++++++----- .../1.7.1.3_enforce_or_complain_apparmor.sh | 16 ++- bin/hardening/1.7.1.4_enforcing_apparmor.sh | 28 ++-- bin/hardening/2.2.15_mta_localhost.sh | 53 ++++--- .../4.1.11_record_privileged_commands.sh | 3 +- bin/hardening/4.2.1.2_enable_syslog-ng.sh | 33 +++-- .../4.2.1.4_syslog_ng_logfiles_perm.sh | 135 ++++++++++-------- .../4.2.1.5_syslog-ng_remote_host.sh | 58 +++++--- bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh | 98 +++++++------ bin/hardening/5.1.2_crontab_perm_ownership.sh | 50 +++---- .../5.1.3_cron_hourly_perm_ownership.sh | 50 +++---- .../5.1.4_cron_daily_perm_ownership.sh | 50 +++---- .../5.1.5_cron_weekly_perm_ownership.sh | 50 +++---- .../5.1.6_cron_monthly_perm_ownership.sh | 50 +++---- .../5.2.1_sshd_conf_perm_ownership.sh | 63 ++++---- .../99.3.3.4_hosts_allow_permissions.sh | 34 +++-- .../99.3.3.5_hosts_deny_permissions.sh | 34 +++-- 24 files changed, 561 insertions(+), 409 deletions(-) diff --git a/bin/hardening/1.1.15_run_shm_nodev.sh b/bin/hardening/1.1.15_run_shm_nodev.sh index f8a1949..df9b839 100755 --- a/bin/hardening/1.1.15_run_shm_nodev.sh +++ b/bin/hardening/1.1.15_run_shm_nodev.sh @@ -24,7 +24,11 @@ OPTION="nodev" # This function will be called if the script status is on enabled / audit mode audit() { info "Verifying that $PARTITION is a partition" - PARTITION=$(readlink -e "$PARTITION") + if [ -e "$PARTITION" ]; then + PARTITION=$(readlink -e "$PARTITION") + else + PARTITION="/dev/shm" + fi FNRET=0 is_a_partition "$PARTITION" if [ "$FNRET" -gt 0 ]; then diff --git a/bin/hardening/1.1.16_run_shm_nosuid.sh b/bin/hardening/1.1.16_run_shm_nosuid.sh index ee58ad9..82794ca 100755 --- a/bin/hardening/1.1.16_run_shm_nosuid.sh +++ b/bin/hardening/1.1.16_run_shm_nosuid.sh @@ -24,7 +24,11 @@ OPTION="nosuid" # This function will be called if the script status is on enabled / audit mode audit() { info "Verifying that $PARTITION is a partition" - PARTITION=$(readlink -e "$PARTITION") + if [ -e "$PARTITION" ]; then + PARTITION=$(readlink -e "$PARTITION") + else + PARTITION="/dev/shm" + fi FNRET=0 is_a_partition "$PARTITION" if [ "$FNRET" -gt 0 ]; then diff --git a/bin/hardening/1.1.17_run_shm_noexec.sh b/bin/hardening/1.1.17_run_shm_noexec.sh index 934c6d7..01cc4cc 100755 --- a/bin/hardening/1.1.17_run_shm_noexec.sh +++ b/bin/hardening/1.1.17_run_shm_noexec.sh @@ -24,7 +24,11 @@ OPTION="noexec" # This function will be called if the script status is on enabled / audit mode audit() { info "Verifying that $PARTITION is a partition" - PARTITION=$(readlink -e "$PARTITION") + if [ -e "$PARTITION" ]; then + PARTITION=$(readlink -e "$PARTITION") + else + PARTITION="/dev/shm" + fi FNRET=0 is_a_partition "$PARTITION" if [ "$FNRET" -gt 0 ]; then diff --git a/bin/hardening/1.5.1_bootloader_ownership.sh b/bin/hardening/1.5.1_bootloader_ownership.sh index c23768a..80267e8 100755 --- a/bin/hardening/1.5.1_bootloader_ownership.sh +++ b/bin/hardening/1.5.1_bootloader_ownership.sh @@ -66,22 +66,22 @@ check_config() { is_pkg_installed "grub-pc" if [ "$FNRET" != 0 ]; then warn "Grub is not installed, not handling configuration" - exit 128 + exit 2 fi does_user_exist "$USER" if [ "$FNRET" != 0 ]; then crit "$USER does not exist" - exit 128 + exit 2 fi does_group_exist "$GROUP" if [ "$FNRET" != 0 ]; then crit "$GROUP does not exist" - exit 128 + exit 2 fi does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" - exit 128 + exit 2 fi } diff --git a/bin/hardening/1.5.2_bootloader_password.sh b/bin/hardening/1.5.2_bootloader_password.sh index 45e8a39..188dd2a 100755 --- a/bin/hardening/1.5.2_bootloader_password.sh +++ b/bin/hardening/1.5.2_bootloader_password.sh @@ -51,7 +51,6 @@ apply() { else ok "$PWD_PATTERN is present in $FILE" fi - : } # This function will check config parameters required @@ -59,11 +58,11 @@ check_config() { is_pkg_installed "grub-pc" if [ "$FNRET" != 0 ]; then warn "grub-pc is not installed, not handling configuration" - exit 128 + exit 2 fi if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" - exit 128 + exit 2 fi } diff --git a/bin/hardening/1.5.3_root_password.sh b/bin/hardening/1.5.3_root_password.sh index ee24236..e3cc8a7 100755 --- a/bin/hardening/1.5.3_root_password.sh +++ b/bin/hardening/1.5.3_root_password.sh @@ -38,7 +38,6 @@ apply() { else ok "$PATTERN is not present in $FILE" fi - : } # This function will check config parameters required diff --git a/bin/hardening/1.6.1_enable_nx_support.sh b/bin/hardening/1.6.1_enable_nx_support.sh index 881f61c..2e03561 100755 --- a/bin/hardening/1.6.1_enable_nx_support.sh +++ b/bin/hardening/1.6.1_enable_nx_support.sh @@ -35,31 +35,39 @@ nx_supported_and_enabled() { # This function will be called if the script status is on enabled / audit mode audit() { - does_pattern_exist_in_dmesg "$PATTERN" - if [ "$FNRET" != 0 ]; then - nx_supported_and_enabled - if [ "$FNRET" != 0 ]; then - crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled" - else - ok "NX is supported and enabled" - fi + if [ "$IS_CONTAINER" -eq 1 ]; then + ok "Container detected, cannot read dmesg!" else - ok "$PATTERN is present in dmesg" + does_pattern_exist_in_dmesg "$PATTERN" + if [ "$FNRET" != 0 ]; then + nx_supported_and_enabled + if [ "$FNRET" != 0 ]; then + crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled" + else + ok "NX is supported and enabled" + fi + else + ok "$PATTERN is present in dmesg" + fi fi } # This function will be called if the script status is on enabled mode apply() { - does_pattern_exist_in_dmesg "$PATTERN" - if [ "$FNRET" != 0 ]; then - nx_supported_and_enabled - if [ "$FNRET" != 0 ]; then - crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled" - else - ok "NX is supported and enabled" - fi + if [ "$IS_CONTAINER" -eq 1 ]; then + ok "Container detected, cannot read dmesg!" else - ok "$PATTERN is present in dmesg" + does_pattern_exist_in_dmesg "$PATTERN" + if [ "$FNRET" != 0 ]; then + nx_supported_and_enabled + if [ "$FNRET" != 0 ]; then + crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled" + else + ok "NX is supported and enabled" + fi + else + ok "$PATTERN is present in dmesg" + fi fi } diff --git a/bin/hardening/1.7.1.2_enable_apparmor.sh b/bin/hardening/1.7.1.2_enable_apparmor.sh index a1070d5..b07b9cf 100755 --- a/bin/hardening/1.7.1.2_enable_apparmor.sh +++ b/bin/hardening/1.7.1.2_enable_apparmor.sh @@ -21,32 +21,46 @@ PACKAGES='apparmor apparmor-utils' # This function will be called if the script status is on enabled / audit mode audit() { + ERROR=0 for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is absent!" + ERROR=1 else ok "$PACKAGE is installed" fi done - ERROR=0 - RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) - - # define custom IFS and save default one - d_IFS=$IFS - c_IFS=$'\n' - IFS=$c_IFS - for line in $RESULT; do - if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then - crit "$line is not configured" - ERROR=1 - fi - done - IFS=$d_IFS if [ "$ERROR" = 0 ]; then - ok "$PACKAGES are configured" + is_pkg_installed "grub-pc" + if [ "$FNRET" != 0 ]; then + if [ "$IS_CONTAINER" -eq 1 ]; then + ok "Grub is not installed in container" + else + warn "Grub is not installed" + exit 128 + fi + else + ERROR=0 + RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS + for line in $RESULT; do + if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then + crit "$line is not configured" + ERROR=1 + fi + done + IFS=$d_IFS + if [ "$ERROR" = 0 ]; then + ok "$PACKAGES are configured" + + fi + fi fi } @@ -62,26 +76,35 @@ apply() { fi done - ERROR=0 - RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) - - # define custom IFS and save default one - d_IFS=$IFS - c_IFS=$'\n' - IFS=$c_IFS - for line in $RESULT; do - if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then - crit "$line is not configured" - ERROR=1 + is_pkg_installed "grub-pc" + if [ "$FNRET" != 0 ]; then + if [ "$IS_CONTAINER" -eq 1 ]; then + ok "Grub is not installed in container" + else + warn "You should use grub. Install it yourself" fi - done - IFS=$d_IFS - - if [ $ERROR = 1 ]; then - $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub - $SUDO_CMD update-grub else - ok "$PACKAGES are configured" + ERROR=0 + RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) + + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS + for line in $RESULT; do + if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then + crit "$line is not configured" + ERROR=1 + fi + done + IFS=$d_IFS + + if [ $ERROR = 1 ]; then + $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub + $SUDO_CMD update-grub + else + ok "$PACKAGES are configured" + fi fi } diff --git a/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh b/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh index f02dd55..8a36381 100755 --- a/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh +++ b/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh @@ -21,22 +21,25 @@ PACKAGES='apparmor apparmor-utils' # This function will be called if the script status is on enabled / audit mode audit() { + ERROR=0 for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is absent!" + ERROR=1 else ok "$PACKAGE is installed" fi done + if [ "$ERROR" = 0 ]; then + RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined") - RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined") + if [ -n "$RESULT_UNCONFINED" ]; then + ok "No profiles are unconfined" - if [ -n "$RESULT_UNCONFINED" ]; then - ok "No profiles are unconfined" - - else - crit "Some processes are unconfined while they have defined profile" + else + crit "Some processes are unconfined while they have defined profile" + fi fi } @@ -46,6 +49,7 @@ apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGES is absent!" + apt_install "$PACKAGE" else ok "$PACKAGE is installed" fi diff --git a/bin/hardening/1.7.1.4_enforcing_apparmor.sh b/bin/hardening/1.7.1.4_enforcing_apparmor.sh index 49239b0..ae15a82 100755 --- a/bin/hardening/1.7.1.4_enforcing_apparmor.sh +++ b/bin/hardening/1.7.1.4_enforcing_apparmor.sh @@ -21,28 +21,31 @@ PACKAGES='apparmor apparmor-utils' # This function will be called if the script status is on enabled / audit mode audit() { + ERROR=0 for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is absent!" + ERROR=1 else ok "$PACKAGE is installed" fi done + if [ "$ERROR" = 0 ]; then + RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined") + RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.") - RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined") - RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.") + if [ -n "$RESULT_UNCONFINED" ]; then + ok "No profiles are unconfined" + else + crit "Some processes are unconfined while they have defined profile" + fi - if [ -n "$RESULT_UNCONFINED" ]; then - ok "No profiles are unconfined" - else - crit "Some processes are unconfined while they have defined profile" - fi - - if [ -n "$RESULT_COMPLAIN" ]; then - ok "No profiles are in complain mode" - else - crit "Some processes are in complain mode" + if [ -n "$RESULT_COMPLAIN" ]; then + ok "No profiles are in complain mode" + else + crit "Some processes are in complain mode" + fi fi } @@ -52,6 +55,7 @@ apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is absent!" + apt_install "$PACKAGE" else ok "$PACKAGE is installed" fi diff --git a/bin/hardening/2.2.15_mta_localhost.sh b/bin/hardening/2.2.15_mta_localhost.sh index f464f8b..864f656 100755 --- a/bin/hardening/2.2.15_mta_localhost.sh +++ b/bin/hardening/2.2.15_mta_localhost.sh @@ -21,39 +21,50 @@ HARDENING_EXCEPTION=mail # This function will be called if the script status is on enabled / audit mode audit() { - info "Checking netport ports opened" - RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || : - RESULT=${RESULT:-} - debug "Result is $RESULT" - if [ -z "$RESULT" ]; then - ok "Nothing listens on 25 port, probably unix socket configured" + is_pkg_installed net-tools + if [ "$FNRET" != 0 ]; then + warn "netsat not installed, cannot execute check" + exit 2 else - info "Checking $RESULT" - if grep -q "127.0.0.1" <<<"$RESULT"; then - ok "MTA is configured to localhost only" + info "Checking netport ports opened" + RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || : + RESULT=${RESULT:-} + debug "Result is $RESULT" + if [ -z "$RESULT" ]; then + ok "Nothing listens on 25 port, probably unix socket configured" else - crit "MTA listens worldwide" + info "Checking $RESULT" + if grep -q "127.0.0.1" <<<"$RESULT"; then + ok "MTA is configured to localhost only" + else + crit "MTA listens worldwide" + fi fi fi } # This function will be called if the script status is on enabled mode apply() { - info "Checking netport ports opened" - RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || : - RESULT=${RESULT:-} - debug "Result is $RESULT" - if [ -z "$RESULT" ]; then - ok "Nothing listens on 25 port, probably unix socket configured" + is_pkg_installed net-tools + if [ "$FNRET" != 0 ]; then + warn "netsat not installed, cannot execute check" + exit 2 else - info "Checking $RESULT" - if grep -q "127.0.0.1" <<<"$RESULT"; then - ok "MTA is configured to localhost only" + info "Checking netport ports opened" + RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || : + RESULT=${RESULT:-} + debug "Result is $RESULT" + if [ -z "$RESULT" ]; then + ok "Nothing listens on 25 port, probably unix socket configured" else - warn "MTA listens worldwide, correct this considering your MTA" + info "Checking $RESULT" + if grep -q "127.0.0.1" <<<"$RESULT"; then + ok "MTA is configured to localhost only" + else + warn "MTA listens worldwide, correct this considering your MTA" + fi fi fi - : } # This function will check config parameters required diff --git a/bin/hardening/4.1.11_record_privileged_commands.sh b/bin/hardening/4.1.11_record_privileged_commands.sh index a920bcb..6a9d47c 100755 --- a/bin/hardening/4.1.11_record_privileged_commands.sh +++ b/bin/hardening/4.1.11_record_privileged_commands.sh @@ -18,8 +18,7 @@ HARDENING_LEVEL=4 DESCRIPTION="Collect use of privileged commands." # Find all files with setuid or setgid set -SUDO_CMD='sudo -n' -AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | +AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }') FILE='/etc/audit/audit.rules' diff --git a/bin/hardening/4.2.1.2_enable_syslog-ng.sh b/bin/hardening/4.2.1.2_enable_syslog-ng.sh index 6cb2fd6..8df4653 100755 --- a/bin/hardening/4.2.1.2_enable_syslog-ng.sh +++ b/bin/hardening/4.2.1.2_enable_syslog-ng.sh @@ -17,29 +17,40 @@ HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Ensure syslog-ng service is activated." +PACKAGE='syslog-ng' SERVICE_NAME="syslog-ng" # This function will be called if the script status is on enabled / audit mode audit() { - info "Checking if $SERVICE_NAME is enabled" - is_service_enabled "$SERVICE_NAME" - if [ "$FNRET" = 0 ]; then - ok "$SERVICE_NAME is enabled" + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then + crit "$PACKAGE is not installed!" else - crit "$SERVICE_NAME is disabled" + info "Checking if $SERVICE_NAME is enabled" + is_service_enabled "$SERVICE_NAME" + if [ "$FNRET" = 0 ]; then + ok "$SERVICE_NAME is enabled" + else + crit "$SERVICE_NAME is disabled" + fi fi } # This function will be called if the script status is on enabled mode apply() { - info "Checking if $SERVICE_NAME is enabled" - is_service_enabled "$SERVICE_NAME" + is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then - info "Enabling $SERVICE_NAME" - update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1 - update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1 + crit "$PACKAGE is not installed!" else - ok "$SERVICE_NAME is enabled" + info "Checking if $SERVICE_NAME is enabled" + is_service_enabled "$SERVICE_NAME" + if [ "$FNRET" != 0 ]; then + info "Enabling $SERVICE_NAME" + update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1 + update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1 + else + ok "$SERVICE_NAME is enabled" + fi fi } diff --git a/bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh b/bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh index 118c911..65e60a0 100755 --- a/bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh +++ b/bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh @@ -19,6 +19,7 @@ DESCRIPTION="Create and set permissions on syslog-ng logfiles." # Note: this is not exacly the same check as the one described in CIS PDF +PACKAGE='syslog-ng' PERMISSIONS='' USER='' GROUP='' @@ -26,14 +27,71 @@ EXCEPTIONS='' # This function will be called if the script status is on enabled / audit mode audit() { - FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2) - for FILE in $FILES; do - does_file_exist "$FILE" - if [ "$FNRET" != 0 ]; then - warn "$FILE does not exist" - else + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then + crit "$PACKAGE is not installed!" + else + FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2) + for FILE in $FILES; do + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + warn "$FILE does not exist" + else + FOUND_EXC=0 + if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then + debug "$FILE is found in exceptions" + debug "Setting special user:group:perm" + FOUND_EXC=1 + local user_bak="$USER" + local group_bak="$GROUP" + local perm_bak="$PERMISSIONS" + USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)" + GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)" + PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)" + fi + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership ($USER:$GROUP)" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions ($PERMISSIONS)" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi + if [ "$FOUND_EXC" = 1 ]; then + debug "Resetting user:group:perm" + USER="$user_bak" + GROUP="$group_bak" + PERMISSIONS="$perm_bak" + fi + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then + crit "$PACKAGE is not installed!" + else + for FILE in $FILES; do + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + info "$FILE does not exist" + filedir=$(dirname "${FILE#/var/log/}") + if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then + debug "Creating /var/log/$filedir for $FILE" + debug "mkdir -p /var/log/$filedir" + mkdir -p /var/log/"$filedir" + fi + touch "$FILE" + fi FOUND_EXC=0 - if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then + if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then debug "$FILE is found in exceptions" debug "Setting special user:group:perm" FOUND_EXC=1 @@ -46,15 +104,17 @@ audit() { fi has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then - ok "$FILE has correct ownership ($USER:$GROUP)" + ok "$FILE has correct ownership" else - crit "$FILE ownership was not set to $USER:$GROUP" + warn "fixing $FILE ownership to $USER:$GROUP" + chown "$USER":"$GROUP" "$FILE" fi has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then - ok "$FILE has correct permissions ($PERMISSIONS)" + ok "$FILE has correct permissions" else - crit "$FILE permissions were not set to $PERMISSIONS" + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0"$PERMISSIONS" "$FILE" fi if [ "$FOUND_EXC" = 1 ]; then debug "Resetting user:group:perm" @@ -62,57 +122,8 @@ audit() { GROUP="$group_bak" PERMISSIONS="$perm_bak" fi - fi - done -} - -# This function will be called if the script status is on enabled mode -apply() { - for FILE in $FILES; do - does_file_exist "$FILE" - if [ "$FNRET" != 0 ]; then - info "$FILE does not exist" - filedir=$(dirname "${FILE#/var/log/}") - if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then - debug "Creating /var/log/$filedir for $FILE" - debug "mkdir -p /var/log/$filedir" - mkdir -p /var/log/"$filedir" - fi - touch "$FILE" - fi - FOUND_EXC=0 - if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then - debug "$FILE is found in exceptions" - debug "Setting special user:group:perm" - FOUND_EXC=1 - local user_bak="$USER" - local group_bak="$GROUP" - local perm_bak="$PERMISSIONS" - USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)" - GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)" - PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)" - fi - has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct ownership" - else - warn "fixing $FILE ownership to $USER:$GROUP" - chown "$USER":"$GROUP" "$FILE" - fi - has_file_correct_permissions "$FILE" "$PERMISSIONS" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct permissions" - else - info "fixing $FILE permissions to $PERMISSIONS" - chmod 0"$PERMISSIONS" "$FILE" - fi - if [ "$FOUND_EXC" = 1 ]; then - debug "Resetting user:group:perm" - USER="$user_bak" - GROUP="$group_bak" - PERMISSIONS="$perm_bak" - fi - done + done + fi } # This function will create the config file for this check with default values diff --git a/bin/hardening/4.2.1.5_syslog-ng_remote_host.sh b/bin/hardening/4.2.1.5_syslog-ng_remote_host.sh index 19e305e..2b9e7f5 100755 --- a/bin/hardening/4.2.1.5_syslog-ng_remote_host.sh +++ b/bin/hardening/4.2.1.5_syslog-ng_remote_host.sh @@ -17,40 +17,52 @@ HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Configure syslog-ng to send logs to a remote log host." +PACKAGE='syslog-ng' + PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".' # This function will be called if the script status is on enabled / audit mode audit() { - FOUND=0 - FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" - for FILE in $FILES; do - does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" - if [ "$FNRET" = 0 ]; then - FOUND=1 - fi - done - - if [ "$FOUND" = 1 ]; then - ok "$PATTERN is present in $FILES" + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then + crit "$PACKAGE is not installed!" else - crit "$PATTERN is not present in $FILES" + FOUND=0 + FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" + for FILE in $FILES; do + does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" + if [ "$FNRET" = 0 ]; then + FOUND=1 + fi + done + + if [ "$FOUND" = 1 ]; then + ok "$PATTERN is present in $FILES" + else + crit "$PATTERN is not present in $FILES" + fi fi } # This function will be called if the script status is on enabled mode apply() { - FOUND=0 - FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" - for FILE in $FILES; do - does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" - if [ "$FNRET" = 0 ]; then - FOUND=1 - fi - done - if [ "$FOUND" = 1 ]; then - ok "$PATTERN is present in $FILES" + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then + crit "$PACKAGE is not installed!" else - crit "$PATTERN is not present in $FILES, please set a remote host to send your logs" + FOUND=0 + FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" + for FILE in $FILES; do + does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" + if [ "$FNRET" = 0 ]; then + FOUND=1 + fi + done + if [ "$FOUND" = 1 ]; then + ok "$PATTERN is present in $FILES" + else + crit "$PATTERN is not present in $FILES, please set a remote host to send your logs" + fi fi } diff --git a/bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh b/bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh index 4f45cb9..50d983e 100755 --- a/bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh +++ b/bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh @@ -17,64 +17,74 @@ HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts." +PACKAGE='syslog-ng' + REMOTE_HOST="" PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".' # This function will be called if the script status is on enabled / audit mode audit() { - FOUND=0 - FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" - for FILE in $FILES; do - does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" - if [ "$FNRET" = 0 ]; then - FOUND=1 - fi - done - - if [[ "$REMOTE_HOST" ]]; then - info "This is the remote host, checking that it only accepts logs from specified zone" - if [ "$FOUND" = 1 ]; then - ok "$PATTERN is present in $FILES" - else - crit "$PATTERN is not present in $FILES" - fi + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then + crit "$PACKAGE is not installed!" else - info "This is the not the remote host checking that it doesn't accept remote logs" - if [ "$FOUND" = 1 ]; then - crit "$PATTERN is present in $FILES" - else - ok "$PATTERN is not present in $FILES" - fi + FOUND=0 + FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" + for FILE in $FILES; do + does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" + if [ "$FNRET" = 0 ]; then + FOUND=1 + fi + done + if [[ "$REMOTE_HOST" ]]; then + info "This is the remote host, checking that it only accepts logs from specified zone" + if [ "$FOUND" = 1 ]; then + ok "$PATTERN is present in $FILES" + else + crit "$PATTERN is not present in $FILES" + fi + else + info "This is the not the remote host checking that it doesn't accept remote logs" + if [ "$FOUND" = 1 ]; then + crit "$PATTERN is present in $FILES" + else + ok "$PATTERN is not present in $FILES" + fi + fi fi } # This function will be called if the script status is on enabled mode apply() { - FOUND=0 - FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" - for FILE in $FILES; do - does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" - if [ "$FNRET" = 0 ]; then - FOUND=1 - fi - done - - if [[ "$REMOTE_HOST" ]]; then - info "This is the remote host, checking that it only accepts logs from specified zone" - if [ "$FOUND" = 1 ]; then - ok "$PATTERN is present in $FILES" - else - crit "$PATTERN is not present in $FILES, setup the machine to receive the logs" - fi + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then + crit "$PACKAGE is not installed!" else - info "This is the not the remote host checking that it doesn't accept remote logs" - if [ "$FOUND" = 1 ]; then - warn "$PATTERN is present in $FILES, " - else - ok "$PATTERN is not present in $FILES" - fi + FOUND=0 + FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" + for FILE in $FILES; do + does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" + if [ "$FNRET" = 0 ]; then + FOUND=1 + fi + done + if [[ "$REMOTE_HOST" ]]; then + info "This is the remote host, checking that it only accepts logs from specified zone" + if [ "$FOUND" = 1 ]; then + ok "$PATTERN is present in $FILES" + else + crit "$PATTERN is not present in $FILES, setup the machine to receive the logs" + fi + else + info "This is the not the remote host checking that it doesn't accept remote logs" + if [ "$FOUND" = 1 ]; then + warn "$PATTERN is present in $FILES, " + else + ok "$PATTERN is not present in $FILES" + fi + fi fi } diff --git a/bin/hardening/5.1.2_crontab_perm_ownership.sh b/bin/hardening/5.1.2_crontab_perm_ownership.sh index a654d10..f3d37ba 100755 --- a/bin/hardening/5.1.2_crontab_perm_ownership.sh +++ b/bin/hardening/5.1.2_crontab_perm_ownership.sh @@ -27,18 +27,19 @@ audit() { does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" - fi - has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct ownership" else - crit "$FILE ownership was not set to $USER:$GROUP" - fi - has_file_correct_permissions "$FILE" "$PERMISSIONS" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct permissions" - else - crit "$FILE permissions were not set to $PERMISSIONS" + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi fi } @@ -48,20 +49,21 @@ apply() { if [ "$FNRET" != 0 ]; then info "$FILE does not exist" touch "$FILE" - fi - has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct ownership" else - warn "fixing $FILE ownership to $USER:$GROUP" - chown "$USER":"$GROUP" "$FILE" - fi - has_file_correct_permissions "$FILE" "$PERMISSIONS" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct permissions" - else - info "fixing $FILE permissions to $PERMISSIONS" - chmod 0"$PERMISSIONS" "$FILE" + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + warn "fixing $FILE ownership to $USER:$GROUP" + chown "$USER":"$GROUP" "$FILE" + fi + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0"$PERMISSIONS" "$FILE" + fi fi } diff --git a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh index 4332bcd..44bb57b 100755 --- a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh +++ b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh @@ -27,18 +27,19 @@ audit() { does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" - fi - has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct ownership" else - crit "$FILE ownership was not set to $USER:$GROUP" - fi - has_file_correct_permissions "$FILE" "$PERMISSIONS" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct permissions" - else - crit "$FILE permissions were not set to $PERMISSIONS" + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi fi } @@ -48,20 +49,21 @@ apply() { if [ "$FNRET" != 0 ]; then info "$FILE does not exist" touch "$FILE" - fi - has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct ownership" else - warn "fixing $FILE ownership to $USER:$GROUP" - chown "$USER":"$GROUP" "$FILE" - fi - has_file_correct_permissions "$FILE" "$PERMISSIONS" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct permissions" - else - info "fixing $FILE permissions to $PERMISSIONS" - chmod 0"$PERMISSIONS" "$FILE" + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + warn "fixing $FILE ownership to $USER:$GROUP" + chown "$USER":"$GROUP" "$FILE" + fi + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0"$PERMISSIONS" "$FILE" + fi fi } diff --git a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh index 1466a93..5ad3449 100755 --- a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh +++ b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh @@ -27,18 +27,19 @@ audit() { does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" - fi - has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct ownership" else - crit "$FILE ownership was not set to $USER:$GROUP" - fi - has_file_correct_permissions "$FILE" "$PERMISSIONS" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct permissions" - else - crit "$FILE permissions were not set to $PERMISSIONS" + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi fi } @@ -48,20 +49,21 @@ apply() { if [ "$FNRET" != 0 ]; then info "$FILE does not exist" touch "$FILE" - fi - has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct ownership" else - warn "fixing $FILE ownership to $USER:$GROUP" - chown "$USER":"$GROUP" "$FILE" - fi - has_file_correct_permissions "$FILE" "$PERMISSIONS" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct permissions" - else - info "fixing $FILE permissions to $PERMISSIONS" - chmod 0"$PERMISSIONS" "$FILE" + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + warn "fixing $FILE ownership to $USER:$GROUP" + chown "$USER":"$GROUP" "$FILE" + fi + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0"$PERMISSIONS" "$FILE" + fi fi } diff --git a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh index 8798eef..5c5258e 100755 --- a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh +++ b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh @@ -27,18 +27,19 @@ audit() { does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" - fi - has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct ownership" else - crit "$FILE ownership was not set to $USER:$GROUP" - fi - has_file_correct_permissions "$FILE" "$PERMISSIONS" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct permissions" - else - crit "$FILE permissions were not set to $PERMISSIONS" + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi fi } @@ -48,20 +49,21 @@ apply() { if [ "$FNRET" != 0 ]; then info "$FILE does not exist" touch "$FILE" - fi - has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct ownership" else - warn "fixing $FILE ownership to $USER:$GROUP" - chown "$USER":"$GROUP" "$FILE" - fi - has_file_correct_permissions "$FILE" "$PERMISSIONS" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct permissions" - else - info "fixing $FILE permissions to $PERMISSIONS" - chmod 0"$PERMISSIONS" "$FILE" + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + warn "fixing $FILE ownership to $USER:$GROUP" + chown "$USER":"$GROUP" "$FILE" + fi + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0"$PERMISSIONS" "$FILE" + fi fi } diff --git a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh index 91781bd..1ff9296 100755 --- a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh +++ b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh @@ -27,18 +27,19 @@ audit() { does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" - fi - has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct ownership" else - crit "$FILE ownership was not set to $USER:$GROUP" - fi - has_file_correct_permissions "$FILE" "$PERMISSIONS" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct permissions" - else - crit "$FILE permissions were not set to $PERMISSIONS" + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi fi } @@ -48,20 +49,21 @@ apply() { if [ "$FNRET" != 0 ]; then info "$FILE does not exist" touch "$FILE" - fi - has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct ownership" else - warn "fixing $FILE ownership to $USER:$GROUP" - chown "$USER":"$GROUP" "$FILE" - fi - has_file_correct_permissions "$FILE" "$PERMISSIONS" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct permissions" - else - info "fixing $FILE permissions to $PERMISSIONS" - chmod 0"$PERMISSIONS" "$FILE" + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + warn "fixing $FILE ownership to $USER:$GROUP" + chown "$USER":"$GROUP" "$FILE" + fi + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0"$PERMISSIONS" "$FILE" + fi fi } diff --git a/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh b/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh index dde8f11..76599b9 100755 --- a/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh +++ b/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh @@ -17,6 +17,7 @@ HARDENING_LEVEL=1 # shellcheck disable=2034 DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config." +PACKAGE='openssh-server' FILE='/etc/ssh/sshd_config' PERMISSIONS='600' USER='root' @@ -24,40 +25,50 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit() { - has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct ownership" + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then + ok "$PACKAGE is not installed!" else - crit "$FILE ownership was not set to $USER:$GROUP" - fi - has_file_correct_permissions "$FILE" "$PERMISSIONS" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct permissions" - else - crit "$FILE permissions were not set to $PERMISSIONS" + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi fi } # This function will be called if the script status is on enabled mode apply() { - does_file_exist "$FILE" + is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then - info "$FILE does not exist" - touch "$FILE" - fi - has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct ownership" + ok "$PACKAGE is not installed" else - warn "fixing $FILE ownership to $USER:$GROUP" - chown "$USER":"$GROUP" "$FILE" - fi - has_file_correct_permissions "$FILE" "$PERMISSIONS" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct permissions" - else - info "fixing $FILE permissions to $PERMISSIONS" - chmod 0"$PERMISSIONS" "$FILE" + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + info "$FILE does not exist" + touch "$FILE" + fi + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + warn "fixing $FILE ownership to $USER:$GROUP" + chown "$USER":"$GROUP" "$FILE" + fi + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0"$PERMISSIONS" "$FILE" + fi fi } diff --git a/bin/hardening/99.3.3.4_hosts_allow_permissions.sh b/bin/hardening/99.3.3.4_hosts_allow_permissions.sh index 6113b62..222e919 100755 --- a/bin/hardening/99.3.3.4_hosts_allow_permissions.sh +++ b/bin/hardening/99.3.3.4_hosts_allow_permissions.sh @@ -24,22 +24,36 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit() { - has_file_correct_permissions "$FILE" "$PERMISSIONS" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct permissions" + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + crit "$FILE does not exist" else - crit "$FILE permissions were not set to $PERMISSIONS" - fi - has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct ownership" - else - crit "$FILE ownership was not set to $USER:$GROUP" + ok "$FILE exist" + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi fi } # This function will be called if the script status is on enabled mode apply() { + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + warn "$FILE does not exist" + touch "$FILE" + warn "You may want to fill it with allowed networks" + else + ok "$FILE exist" + fi has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" diff --git a/bin/hardening/99.3.3.5_hosts_deny_permissions.sh b/bin/hardening/99.3.3.5_hosts_deny_permissions.sh index c0579bd..64220a6 100755 --- a/bin/hardening/99.3.3.5_hosts_deny_permissions.sh +++ b/bin/hardening/99.3.3.5_hosts_deny_permissions.sh @@ -24,22 +24,36 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit() { - has_file_correct_permissions "$FILE" "$PERMISSIONS" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct permissions" + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + crit "$FILE does not exist" else - crit "$FILE permissions were not set to $PERMISSIONS" - fi - has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then - ok "$FILE has correct ownership" - else - crit "$FILE ownership was not set to $USER:$GROUP" + ok "$FILE exist" + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi fi } # This function will be called if the script status is on enabled mode apply() { + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then + warn "$FILE does not exist" + touch "$FILE" + warn "You may want to fill it with allowed networks" + else + ok "$FILE exist" + fi has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions"