elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 05:27:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Check that package are installed before launching check (#69)

Browse Source 
* FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed

* FIX(2.2.15): check package install

* FIX(4.2.x): check package install

* FIX(5.1.x): check crontab files exist

* FIX(5.2.1): check package install

* FIX(99.3.3.x): check conf file exist

* Remove useless SUDO_CMD

* Deal with non existant /run/shm

* Replace exit code 128 by exit code 2

fix #65

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
This commit is contained in:
Thibault Ayanides 2021-03-25 14:01:57 +01:00 committed by GitHub
parent f8ac58700d
commit 1c51e4cec4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 561 additions and 409 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
bin/hardening/1.1.15_run_shm_nodev.sh
View File

@ -24,7 +24,11 @@ OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION") if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then

6
bin/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -24,7 +24,11 @@ OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION") if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then

6
bin/hardening/1.1.17_run_shm_noexec.sh
View File

@ -24,7 +24,11 @@ OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION") if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then if [ "$FNRET" -gt 0 ]; then

8
bin/hardening/1.5.1_bootloader_ownership.sh
View File

@ -66,22 +66,22 @@ check_config() {
is_pkg_installed "grub-pc" is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "Grub is not installed, not handling configuration" warn "Grub is not installed, not handling configuration"
exit 128 exit 2
fi fi
does_user_exist "$USER" does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$USER does not exist" crit "$USER does not exist"
exit 128 exit 2
fi fi
does_group_exist "$GROUP" does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist" crit "$GROUP does not exist"
exit 128 exit 2
fi fi
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
exit 128 exit 2
fi fi
} }

5
bin/hardening/1.5.2_bootloader_password.sh
View File

@ -51,7 +51,6 @@ apply() {
else else
ok "$PWD_PATTERN is present in $FILE" ok "$PWD_PATTERN is present in $FILE"
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required
@ -59,11 +58,11 @@ check_config() {
is_pkg_installed "grub-pc" is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "grub-pc is not installed, not handling configuration" warn "grub-pc is not installed, not handling configuration"
exit 128 exit 2
fi fi
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
exit 128 exit 2
fi fi
} }

1
bin/hardening/1.5.3_root_password.sh
View File

@ -38,7 +38,6 @@ apply() {
else else
ok "$PATTERN is not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required

44
bin/hardening/1.6.1_enable_nx_support.sh
View File

@ -35,31 +35,39 @@ nx_supported_and_enabled() {
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
does_pattern_exist_in_dmesg "$PATTERN" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" != 0 ]; then ok "Container detected, cannot read dmesg!"
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else else
ok "$PATTERN is present in dmesg" does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_pattern_exist_in_dmesg "$PATTERN" if [ "$IS_CONTAINER" -eq 1 ]; then
if [ "$FNRET" != 0 ]; then ok "Container detected, cannot read dmesg!"
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else else
ok "$PATTERN is present in dmesg" does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi
fi fi
} }

89
bin/hardening/1.7.1.2_enable_apparmor.sh
View File

@ -21,32 +21,46 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
ERROR=0
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
ERROR=1
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
done done
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ "$ERROR" = 0 ]; then if [ "$ERROR" = 0 ]; then
ok "$PACKAGES are configured" is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Grub is not installed in container"
else
warn "Grub is not installed"
exit 128
fi
else
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ "$ERROR" = 0 ]; then
ok "$PACKAGES are configured"
fi
fi
fi fi
} }
@ -62,26 +76,35 @@ apply() {
fi fi
done done
ERROR=0 is_pkg_installed "grub-pc"
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) if [ "$FNRET" != 0 ]; then
if [ "$IS_CONTAINER" -eq 1 ]; then
# define custom IFS and save default one ok "Grub is not installed in container"
d_IFS=$IFS else
c_IFS=$'\n' warn "You should use grub. Install it yourself"
IFS=$c_IFS
for line in $RESULT; do
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi fi
done
IFS=$d_IFS
if [ $ERROR = 1 ]; then
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
$SUDO_CMD update-grub
else else
ok "$PACKAGES are configured" ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ $ERROR = 1 ]; then
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
$SUDO_CMD update-grub
else
ok "$PACKAGES are configured"
fi
fi fi
} }

16
bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
View File

@ -21,22 +21,25 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
ERROR=0
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
ERROR=1
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
done done
if [ "$ERROR" = 0 ]; then
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined") if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"
if [ -n "$RESULT_UNCONFINED" ]; then else
ok "No profiles are unconfined" crit "Some processes are unconfined while they have defined profile"
fi
else
crit "Some processes are unconfined while they have defined profile"
fi fi
} }
@ -46,6 +49,7 @@ apply() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGES is absent!" crit "$PACKAGES is absent!"
apt_install "$PACKAGE"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi

28
bin/hardening/1.7.1.4_enforcing_apparmor.sh
View File

@ -21,28 +21,31 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
ERROR=0
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
ERROR=1
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi
done done
if [ "$ERROR" = 0 ]; then
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined") if [ -n "$RESULT_UNCONFINED" ]; then
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.") ok "No profiles are unconfined"
else
crit "Some processes are unconfined while they have defined profile"
fi
if [ -n "$RESULT_UNCONFINED" ]; then if [ -n "$RESULT_COMPLAIN" ]; then
ok "No profiles are unconfined" ok "No profiles are in complain mode"
else else
crit "Some processes are unconfined while they have defined profile" crit "Some processes are in complain mode"
fi fi
if [ -n "$RESULT_COMPLAIN" ]; then
ok "No profiles are in complain mode"
else
crit "Some processes are in complain mode"
fi fi
} }
@ -52,6 +55,7 @@ apply() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
apt_install "$PACKAGE"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
fi fi

53
bin/hardening/2.2.15_mta_localhost.sh
View File

@ -21,39 +21,50 @@ HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking netport ports opened" is_pkg_installed net-tools
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || : if [ "$FNRET" != 0 ]; then
RESULT=${RESULT:-} warn "netsat not installed, cannot execute check"
debug "Result is $RESULT" exit 2
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else else
info "Checking $RESULT" info "Checking netport ports opened"
if grep -q "127.0.0.1" <<<"$RESULT"; then RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
ok "MTA is configured to localhost only" RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else else
crit "MTA listens worldwide" info "Checking $RESULT"
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
else
crit "MTA listens worldwide"
fi
fi fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
info "Checking netport ports opened" is_pkg_installed net-tools
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || : if [ "$FNRET" != 0 ]; then
RESULT=${RESULT:-} warn "netsat not installed, cannot execute check"
debug "Result is $RESULT" exit 2
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else else
info "Checking $RESULT" info "Checking netport ports opened"
if grep -q "127.0.0.1" <<<"$RESULT"; then RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
ok "MTA is configured to localhost only" RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else else
warn "MTA listens worldwide, correct this considering your MTA" info "Checking $RESULT"
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
else
warn "MTA listens worldwide, correct this considering your MTA"
fi
fi fi
fi fi
:
} }
# This function will check config parameters required # This function will check config parameters required

3
bin/hardening/4.1.11_record_privileged_commands.sh
View File

@ -18,8 +18,7 @@ HARDENING_LEVEL=4
DESCRIPTION="Collect use of privileged commands." DESCRIPTION="Collect use of privileged commands."
# Find all files with setuid or setgid set # Find all files with setuid or setgid set
SUDO_CMD='sudo -n' AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }') awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
FILE='/etc/audit/audit.rules' FILE='/etc/audit/audit.rules'

33
bin/hardening/4.2.1.2_enable_syslog-ng.sh
View File

@ -17,29 +17,40 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Ensure syslog-ng service is activated." DESCRIPTION="Ensure syslog-ng service is activated."
PACKAGE='syslog-ng'
SERVICE_NAME="syslog-ng" SERVICE_NAME="syslog-ng"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if $SERVICE_NAME is enabled" is_pkg_installed "$PACKAGE"
is_service_enabled "$SERVICE_NAME" if [ "$FNRET" != 0 ]; then
if [ "$FNRET" = 0 ]; then crit "$PACKAGE is not installed!"
ok "$SERVICE_NAME is enabled"
else else
crit "$SERVICE_NAME is disabled" info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
ok "$SERVICE_NAME is enabled"
else
crit "$SERVICE_NAME is disabled"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
info "Checking if $SERVICE_NAME is enabled" is_pkg_installed "$PACKAGE"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "Enabling $SERVICE_NAME" crit "$PACKAGE is not installed!"
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
else else
ok "$SERVICE_NAME is enabled" info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" != 0 ]; then
info "Enabling $SERVICE_NAME"
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
else
ok "$SERVICE_NAME is enabled"
fi
fi fi
} }

135
bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh
View File

@ -19,6 +19,7 @@ DESCRIPTION="Create and set permissions on syslog-ng logfiles."
# Note: this is not exacly the same check as the one described in CIS PDF # Note: this is not exacly the same check as the one described in CIS PDF
PACKAGE='syslog-ng'
PERMISSIONS='' PERMISSIONS=''
USER='' USER=''
GROUP='' GROUP=''
@ -26,14 +27,71 @@ EXCEPTIONS=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2) is_pkg_installed "$PACKAGE"
for FILE in $FILES; do if [ "$FNRET" != 0 ]; then
does_file_exist "$FILE" crit "$PACKAGE is not installed!"
if [ "$FNRET" != 0 ]; then else
warn "$FILE does not exist" FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
else for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
else
FOUND_EXC=0
if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions"
debug "Setting special user:group:perm"
FOUND_EXC=1
local user_bak="$USER"
local group_bak="$GROUP"
local perm_bak="$PERMISSIONS"
USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership ($USER:$GROUP)"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions ($PERMISSIONS)"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm"
USER="$user_bak"
GROUP="$group_bak"
PERMISSIONS="$perm_bak"
fi
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
filedir=$(dirname "${FILE#/var/log/}")
if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
debug "Creating /var/log/$filedir for $FILE"
debug "mkdir -p /var/log/$filedir"
mkdir -p /var/log/"$filedir"
fi
touch "$FILE"
fi
FOUND_EXC=0 FOUND_EXC=0
if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions" debug "$FILE is found in exceptions"
debug "Setting special user:group:perm" debug "Setting special user:group:perm"
FOUND_EXC=1 FOUND_EXC=1
@ -46,15 +104,17 @@ audit() {
fi fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership ($USER:$GROUP)" ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions ($PERMISSIONS)" ok "$FILE has correct permissions"
else else
crit "$FILE permissions were not set to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi fi
if [ "$FOUND_EXC" = 1 ]; then if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm" debug "Resetting user:group:perm"
@ -62,57 +122,8 @@ audit() {
GROUP="$group_bak" GROUP="$group_bak"
PERMISSIONS="$perm_bak" PERMISSIONS="$perm_bak"
fi fi
fi done
done fi
}
# This function will be called if the script status is on enabled mode
apply() {
for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
filedir=$(dirname "${FILE#/var/log/}")
if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
debug "Creating /var/log/$filedir for $FILE"
debug "mkdir -p /var/log/$filedir"
mkdir -p /var/log/"$filedir"
fi
touch "$FILE"
fi
FOUND_EXC=0
if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions"
debug "Setting special user:group:perm"
FOUND_EXC=1
local user_bak="$USER"
local group_bak="$GROUP"
local perm_bak="$PERMISSIONS"
USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm"
USER="$user_bak"
GROUP="$group_bak"
PERMISSIONS="$perm_bak"
fi
done
} }
# This function will create the config file for this check with default values # This function will create the config file for this check with default values

58
bin/hardening/4.2.1.5_syslog-ng_remote_host.sh
View File

@ -17,40 +17,52 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Configure syslog-ng to send logs to a remote log host." DESCRIPTION="Configure syslog-ng to send logs to a remote log host."
PACKAGE='syslog-ng'
PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".' PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
FOUND=0 is_pkg_installed "$PACKAGE"
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" if [ "$FNRET" != 0 ]; then
for FILE in $FILES; do crit "$PACKAGE is not installed!"
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else else
crit "$PATTERN is not present in $FILES" FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
FOUND=0 is_pkg_installed "$PACKAGE"
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" if [ "$FNRET" != 0 ]; then
for FILE in $FILES; do crit "$PACKAGE is not installed!"
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else else
crit "$PATTERN is not present in $FILES, please set a remote host to send your logs" FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
fi
fi fi
} }

98
bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh
View File

@ -17,64 +17,74 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts." DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
PACKAGE='syslog-ng'
REMOTE_HOST="" REMOTE_HOST=""
PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".' PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
FOUND=0 is_pkg_installed "$PACKAGE"
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" if [ "$FNRET" != 0 ]; then
for FILE in $FILES; do crit "$PACKAGE is not installed!"
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES"
fi
else else
info "This is the not the remote host checking that it doesn't accept remote logs" FOUND=0
if [ "$FOUND" = 1 ]; then FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
crit "$PATTERN is present in $FILES" for FILE in $FILES; do
else does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
ok "$PATTERN is not present in $FILES" if [ "$FNRET" = 0 ]; then
fi FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES"
fi
else
info "This is the not the remote host checking that it doesn't accept remote logs"
if [ "$FOUND" = 1 ]; then
crit "$PATTERN is present in $FILES"
else
ok "$PATTERN is not present in $FILES"
fi
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
FOUND=0 is_pkg_installed "$PACKAGE"
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)" if [ "$FNRET" != 0 ]; then
for FILE in $FILES; do crit "$PACKAGE is not installed!"
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
fi
else else
info "This is the not the remote host checking that it doesn't accept remote logs" FOUND=0
if [ "$FOUND" = 1 ]; then FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
warn "$PATTERN is present in $FILES, " for FILE in $FILES; do
else does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
ok "$PATTERN is not present in $FILES" if [ "$FNRET" = 0 ]; then
fi FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
fi
else
info "This is the not the remote host checking that it doesn't accept remote logs"
if [ "$FOUND" = 1 ]; then
warn "$PATTERN is present in $FILES, "
else
ok "$PATTERN is not present in $FILES"
fi
fi
fi fi
} }

50
bin/hardening/5.1.2_crontab_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
fi if [ "$FNRET" = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS" ok "$FILE has correct ownership"
if [ "$FNRET" = 0 ]; then else
ok "$FILE has correct permissions" crit "$FILE ownership was not set to $USER:$GROUP"
else fi
crit "$FILE permissions were not set to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi fi
} }
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch "$FILE" touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
chown "$USER":"$GROUP" "$FILE" if [ "$FNRET" = 0 ]; then
fi ok "$FILE has correct ownership"
has_file_correct_permissions "$FILE" "$PERMISSIONS" else
if [ "$FNRET" = 0 ]; then warn "fixing $FILE ownership to $USER:$GROUP"
ok "$FILE has correct permissions" chown "$USER":"$GROUP" "$FILE"
else fi
info "fixing $FILE permissions to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi fi
} }

50
bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
fi if [ "$FNRET" = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS" ok "$FILE has correct ownership"
if [ "$FNRET" = 0 ]; then else
ok "$FILE has correct permissions" crit "$FILE ownership was not set to $USER:$GROUP"
else fi
crit "$FILE permissions were not set to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi fi
} }
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch "$FILE" touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
chown "$USER":"$GROUP" "$FILE" if [ "$FNRET" = 0 ]; then
fi ok "$FILE has correct ownership"
has_file_correct_permissions "$FILE" "$PERMISSIONS" else
if [ "$FNRET" = 0 ]; then warn "fixing $FILE ownership to $USER:$GROUP"
ok "$FILE has correct permissions" chown "$USER":"$GROUP" "$FILE"
else fi
info "fixing $FILE permissions to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi fi
} }

50
bin/hardening/5.1.4_cron_daily_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
fi if [ "$FNRET" = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS" ok "$FILE has correct ownership"
if [ "$FNRET" = 0 ]; then else
ok "$FILE has correct permissions" crit "$FILE ownership was not set to $USER:$GROUP"
else fi
crit "$FILE permissions were not set to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi fi
} }
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch "$FILE" touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
chown "$USER":"$GROUP" "$FILE" if [ "$FNRET" = 0 ]; then
fi ok "$FILE has correct ownership"
has_file_correct_permissions "$FILE" "$PERMISSIONS" else
if [ "$FNRET" = 0 ]; then warn "fixing $FILE ownership to $USER:$GROUP"
ok "$FILE has correct permissions" chown "$USER":"$GROUP" "$FILE"
else fi
info "fixing $FILE permissions to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi fi
} }

50
bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
fi if [ "$FNRET" = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS" ok "$FILE has correct ownership"
if [ "$FNRET" = 0 ]; then else
ok "$FILE has correct permissions" crit "$FILE ownership was not set to $USER:$GROUP"
else fi
crit "$FILE permissions were not set to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi fi
} }
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch "$FILE" touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
chown "$USER":"$GROUP" "$FILE" if [ "$FNRET" = 0 ]; then
fi ok "$FILE has correct ownership"
has_file_correct_permissions "$FILE" "$PERMISSIONS" else
if [ "$FNRET" = 0 ]; then warn "fixing $FILE ownership to $USER:$GROUP"
ok "$FILE has correct permissions" chown "$USER":"$GROUP" "$FILE"
else fi
info "fixing $FILE permissions to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi fi
} }

50
bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE" does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
fi if [ "$FNRET" = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS" ok "$FILE has correct ownership"
if [ "$FNRET" = 0 ]; then else
ok "$FILE has correct permissions" crit "$FILE ownership was not set to $USER:$GROUP"
else fi
crit "$FILE permissions were not set to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi fi
} }
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
touch "$FILE" touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
chown "$USER":"$GROUP" "$FILE" if [ "$FNRET" = 0 ]; then
fi ok "$FILE has correct ownership"
has_file_correct_permissions "$FILE" "$PERMISSIONS" else
if [ "$FNRET" = 0 ]; then warn "fixing $FILE ownership to $USER:$GROUP"
ok "$FILE has correct permissions" chown "$USER":"$GROUP" "$FILE"
else fi
info "fixing $FILE permissions to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE" if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi fi
} }

63
bin/hardening/5.2.1_sshd_conf_perm_ownership.sh
View File

@ -17,6 +17,7 @@ HARDENING_LEVEL=1
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config." DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config."
PACKAGE='openssh-server'
FILE='/etc/ssh/sshd_config' FILE='/etc/ssh/sshd_config'
PERMISSIONS='600' PERMISSIONS='600'
USER='root' USER='root'
@ -24,40 +25,50 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE has correct ownership" ok "$PACKAGE is not installed!"
else else
crit "$FILE ownership was not set to $USER:$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
fi if [ "$FNRET" = 0 ]; then
has_file_correct_permissions "$FILE" "$PERMISSIONS" ok "$FILE has correct ownership"
if [ "$FNRET" = 0 ]; then else
ok "$FILE has correct permissions" crit "$FILE ownership was not set to $USER:$GROUP"
else fi
crit "$FILE permissions were not set to $PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist "$FILE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" ok "$PACKAGE is not installed"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else else
warn "fixing $FILE ownership to $USER:$GROUP" does_file_exist "$FILE"
chown "$USER":"$GROUP" "$FILE" if [ "$FNRET" != 0 ]; then
fi info "$FILE does not exist"
has_file_correct_permissions "$FILE" "$PERMISSIONS" touch "$FILE"
if [ "$FNRET" = 0 ]; then fi
ok "$FILE has correct permissions" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
else if [ "$FNRET" = 0 ]; then
info "fixing $FILE permissions to $PERMISSIONS" ok "$FILE has correct ownership"
chmod 0"$PERMISSIONS" "$FILE" else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi fi
} }

34
bin/hardening/99.3.3.4_hosts_allow_permissions.sh
View File

@ -24,22 +24,36 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" does_file_exist "$FILE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE has correct permissions" crit "$FILE does not exist"
else else
crit "$FILE permissions were not set to $PERMISSIONS" ok "$FILE exist"
fi has_file_correct_permissions "$FILE" "$PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then
if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions"
ok "$FILE has correct ownership" else
else crit "$FILE permissions were not set to $PERMISSIONS"
crit "$FILE ownership was not set to $USER:$GROUP" fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
touch "$FILE"
warn "You may want to fill it with allowed networks"
else
ok "$FILE exist"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"

34
bin/hardening/99.3.3.5_hosts_deny_permissions.sh
View File

@ -24,22 +24,36 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" does_file_exist "$FILE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$FILE has correct permissions" crit "$FILE does not exist"
else else
crit "$FILE permissions were not set to $PERMISSIONS" ok "$FILE exist"
fi has_file_correct_permissions "$FILE" "$PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then
if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions"
ok "$FILE has correct ownership" else
else crit "$FILE permissions were not set to $PERMISSIONS"
crit "$FILE ownership was not set to $USER:$GROUP" fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
touch "$FILE"
warn "You may want to fill it with allowed networks"
else
ok "$FILE exist"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"