mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 05:27:01 +01:00
Check that package are installed before launching check (#69)
* FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed * FIX(2.2.15): check package install * FIX(4.2.x): check package install * FIX(5.1.x): check crontab files exist * FIX(5.2.1): check package install * FIX(99.3.3.x): check conf file exist * Remove useless SUDO_CMD * Deal with non existant /run/shm * Replace exit code 128 by exit code 2 fix #65 Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
This commit is contained in:
Thibault Ayanides
GitHub
parent
f8ac58700d
commit
1c51e4cec4
@ -24,7 +24,11 @@ OPTION="nodev"
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
if [ -e "$PARTITION" ]; then
|
||||
PARTITION=$(readlink -e "$PARTITION")
|
||||
else
|
||||
PARTITION="/dev/shm"
|
||||
fi
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
|
||||
@ -24,7 +24,11 @@ OPTION="nosuid"
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
if [ -e "$PARTITION" ]; then
|
||||
PARTITION=$(readlink -e "$PARTITION")
|
||||
else
|
||||
PARTITION="/dev/shm"
|
||||
fi
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
|
||||
@ -24,7 +24,11 @@ OPTION="noexec"
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
if [ -e "$PARTITION" ]; then
|
||||
PARTITION=$(readlink -e "$PARTITION")
|
||||
else
|
||||
PARTITION="/dev/shm"
|
||||
fi
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
if [ "$FNRET" -gt 0 ]; then
|
||||
|
||||
@ -66,22 +66,22 @@ check_config() {
|
||||
is_pkg_installed "grub-pc"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "Grub is not installed, not handling configuration"
|
||||
exit 128
|
||||
exit 2
|
||||
fi
|
||||
does_user_exist "$USER"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$USER does not exist"
|
||||
exit 128
|
||||
exit 2
|
||||
fi
|
||||
does_group_exist "$GROUP"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$GROUP does not exist"
|
||||
exit 128
|
||||
exit 2
|
||||
fi
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
exit 2
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -51,7 +51,6 @@ apply() {
|
||||
else
|
||||
ok "$PWD_PATTERN is present in $FILE"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -59,11 +58,11 @@ check_config() {
|
||||
is_pkg_installed "grub-pc"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "grub-pc is not installed, not handling configuration"
|
||||
exit 128
|
||||
exit 2
|
||||
fi
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
exit 128
|
||||
exit 2
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -38,7 +38,6 @@ apply() {
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
||||
@ -35,6 +35,9 @@ nx_supported_and_enabled() {
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||
ok "Container detected, cannot read dmesg!"
|
||||
else
|
||||
does_pattern_exist_in_dmesg "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
nx_supported_and_enabled
|
||||
@ -46,10 +49,14 @@ audit() {
|
||||
else
|
||||
ok "$PATTERN is present in dmesg"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||
ok "Container detected, cannot read dmesg!"
|
||||
else
|
||||
does_pattern_exist_in_dmesg "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
nx_supported_and_enabled
|
||||
@ -61,6 +68,7 @@ apply() {
|
||||
else
|
||||
ok "$PATTERN is present in dmesg"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
||||
@ -21,15 +21,27 @@ PACKAGES='apparmor apparmor-utils'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
ERROR=0
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is absent!"
|
||||
ERROR=1
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "$ERROR" = 0 ]; then
|
||||
is_pkg_installed "grub-pc"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||
ok "Grub is not installed in container"
|
||||
else
|
||||
warn "Grub is not installed"
|
||||
exit 128
|
||||
fi
|
||||
else
|
||||
ERROR=0
|
||||
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
|
||||
|
||||
@ -48,6 +60,8 @@ audit() {
|
||||
ok "$PACKAGES are configured"
|
||||
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
@ -62,6 +76,14 @@ apply() {
|
||||
fi
|
||||
done
|
||||
|
||||
is_pkg_installed "grub-pc"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
if [ "$IS_CONTAINER" -eq 1 ]; then
|
||||
ok "Grub is not installed in container"
|
||||
else
|
||||
warn "You should use grub. Install it yourself"
|
||||
fi
|
||||
else
|
||||
ERROR=0
|
||||
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
|
||||
|
||||
@ -83,6 +105,7 @@ apply() {
|
||||
else
|
||||
ok "$PACKAGES are configured"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
||||
@ -21,15 +21,17 @@ PACKAGES='apparmor apparmor-utils'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
ERROR=0
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is absent!"
|
||||
ERROR=1
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "$ERROR" = 0 ]; then
|
||||
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
|
||||
|
||||
if [ -n "$RESULT_UNCONFINED" ]; then
|
||||
@ -38,6 +40,7 @@ audit() {
|
||||
else
|
||||
crit "Some processes are unconfined while they have defined profile"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
@ -46,6 +49,7 @@ apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGES is absent!"
|
||||
apt_install "$PACKAGE"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
|
||||
@ -21,15 +21,17 @@ PACKAGES='apparmor apparmor-utils'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
ERROR=0
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is absent!"
|
||||
ERROR=1
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "$ERROR" = 0 ]; then
|
||||
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
|
||||
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
|
||||
|
||||
@ -44,6 +46,7 @@ audit() {
|
||||
else
|
||||
crit "Some processes are in complain mode"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
@ -52,6 +55,7 @@ apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is absent!"
|
||||
apt_install "$PACKAGE"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
|
||||
@ -21,6 +21,11 @@ HARDENING_EXCEPTION=mail
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_pkg_installed net-tools
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "netsat not installed, cannot execute check"
|
||||
exit 2
|
||||
else
|
||||
info "Checking netport ports opened"
|
||||
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
|
||||
RESULT=${RESULT:-}
|
||||
@ -35,10 +40,16 @@ audit() {
|
||||
crit "MTA listens worldwide"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_pkg_installed net-tools
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "netsat not installed, cannot execute check"
|
||||
exit 2
|
||||
else
|
||||
info "Checking netport ports opened"
|
||||
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
|
||||
RESULT=${RESULT:-}
|
||||
@ -53,7 +64,7 @@ apply() {
|
||||
warn "MTA listens worldwide, correct this considering your MTA"
|
||||
fi
|
||||
fi
|
||||
:
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
||||
@ -18,8 +18,7 @@ HARDENING_LEVEL=4
|
||||
DESCRIPTION="Collect use of privileged commands."
|
||||
|
||||
# Find all files with setuid or setgid set
|
||||
SUDO_CMD='sudo -n'
|
||||
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
|
||||
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
|
||||
awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
|
||||
FILE='/etc/audit/audit.rules'
|
||||
|
||||
|
||||
@ -17,10 +17,15 @@ HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure syslog-ng service is activated."
|
||||
|
||||
PACKAGE='syslog-ng'
|
||||
SERVICE_NAME="syslog-ng"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
info "Checking if $SERVICE_NAME is enabled"
|
||||
is_service_enabled "$SERVICE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -28,10 +33,15 @@ audit() {
|
||||
else
|
||||
crit "$SERVICE_NAME is disabled"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
info "Checking if $SERVICE_NAME is enabled"
|
||||
is_service_enabled "$SERVICE_NAME"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
@ -41,6 +51,7 @@ apply() {
|
||||
else
|
||||
ok "$SERVICE_NAME is enabled"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
||||
@ -19,6 +19,7 @@ DESCRIPTION="Create and set permissions on syslog-ng logfiles."
|
||||
|
||||
# Note: this is not exacly the same check as the one described in CIS PDF
|
||||
|
||||
PACKAGE='syslog-ng'
|
||||
PERMISSIONS=''
|
||||
USER=''
|
||||
GROUP=''
|
||||
@ -26,6 +27,10 @@ EXCEPTIONS=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
|
||||
for FILE in $FILES; do
|
||||
does_file_exist "$FILE"
|
||||
@ -64,10 +69,15 @@ audit() {
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
for FILE in $FILES; do
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
@ -113,6 +123,7 @@ apply() {
|
||||
PERMISSIONS="$perm_bak"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will create the config file for this check with default values
|
||||
|
||||
@ -17,10 +17,16 @@ HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Configure syslog-ng to send logs to a remote log host."
|
||||
|
||||
PACKAGE='syslog-ng'
|
||||
|
||||
PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
FOUND=0
|
||||
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
|
||||
for FILE in $FILES; do
|
||||
@ -35,10 +41,15 @@ audit() {
|
||||
else
|
||||
crit "$PATTERN is not present in $FILES"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
FOUND=0
|
||||
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
|
||||
for FILE in $FILES; do
|
||||
@ -52,6 +63,7 @@ apply() {
|
||||
else
|
||||
crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will create the config file for this check with default values
|
||||
|
||||
@ -17,11 +17,17 @@ HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
|
||||
|
||||
PACKAGE='syslog-ng'
|
||||
|
||||
REMOTE_HOST=""
|
||||
PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
FOUND=0
|
||||
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
|
||||
for FILE in $FILES; do
|
||||
@ -45,12 +51,16 @@ audit() {
|
||||
else
|
||||
ok "$PATTERN is not present in $FILES"
|
||||
fi
|
||||
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
FOUND=0
|
||||
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
|
||||
for FILE in $FILES; do
|
||||
@ -74,7 +84,7 @@ apply() {
|
||||
else
|
||||
ok "$PATTERN is not present in $FILES"
|
||||
fi
|
||||
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -27,7 +27,7 @@ audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
fi
|
||||
else
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
@ -40,6 +40,7 @@ audit() {
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
@ -48,7 +49,7 @@ apply() {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
fi
|
||||
else
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
@ -63,6 +64,7 @@ apply() {
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
||||
@ -27,7 +27,7 @@ audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
fi
|
||||
else
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
@ -40,6 +40,7 @@ audit() {
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
@ -48,7 +49,7 @@ apply() {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
fi
|
||||
else
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
@ -63,6 +64,7 @@ apply() {
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
||||
@ -27,7 +27,7 @@ audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
fi
|
||||
else
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
@ -40,6 +40,7 @@ audit() {
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
@ -48,7 +49,7 @@ apply() {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
fi
|
||||
else
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
@ -63,6 +64,7 @@ apply() {
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
||||
@ -27,7 +27,7 @@ audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
fi
|
||||
else
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
@ -40,6 +40,7 @@ audit() {
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
@ -48,7 +49,7 @@ apply() {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
fi
|
||||
else
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
@ -63,6 +64,7 @@ apply() {
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
||||
@ -27,7 +27,7 @@ audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
fi
|
||||
else
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
@ -40,6 +40,7 @@ audit() {
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
@ -48,7 +49,7 @@ apply() {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
fi
|
||||
else
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
@ -63,6 +64,7 @@ apply() {
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
||||
@ -17,6 +17,7 @@ HARDENING_LEVEL=1
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config."
|
||||
|
||||
PACKAGE='openssh-server'
|
||||
FILE='/etc/ssh/sshd_config'
|
||||
PERMISSIONS='600'
|
||||
USER='root'
|
||||
@ -24,6 +25,10 @@ GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "$PACKAGE is not installed!"
|
||||
else
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
@ -36,10 +41,15 @@ audit() {
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "$PACKAGE is not installed"
|
||||
else
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
@ -59,6 +69,7 @@ apply() {
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
||||
@ -24,6 +24,11 @@ GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
else
|
||||
ok "$FILE exist"
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
@ -36,10 +41,19 @@ audit() {
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
warn "You may want to fill it with allowed networks"
|
||||
else
|
||||
ok "$FILE exist"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
|
||||
@ -24,6 +24,11 @@ GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
else
|
||||
ok "$FILE exist"
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
@ -36,10 +41,19 @@ audit() {
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
does_file_exist "$FILE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$FILE does not exist"
|
||||
touch "$FILE"
|
||||
warn "You may want to fill it with allowed networks"
|
||||
else
|
||||
ok "$FILE exist"
|
||||
fi
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user