elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 05:27:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Check that package are installed before launching check (#69)

Browse Source 
* FIX(1.6.1,1.7.1.x): check if apparmor and grub is installed

* FIX(2.2.15): check package install

* FIX(4.2.x): check package install

* FIX(5.1.x): check crontab files exist

* FIX(5.2.1): check package install

* FIX(99.3.3.x): check conf file exist

* Remove useless SUDO_CMD

* Deal with non existant /run/shm

* Replace exit code 128 by exit code 2

fix #65

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
This commit is contained in:
Thibault Ayanides 2021-03-25 14:01:57 +01:00 committed by GitHub
parent f8ac58700d
commit 1c51e4cec4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 561 additions and 409 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
bin/hardening/1.1.15_run_shm_nodev.sh
View File

@ -24,7 +24,11 @@ OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then

6
bin/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -24,7 +24,11 @@ OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then

6
bin/hardening/1.1.17_run_shm_noexec.sh
View File

@ -24,7 +24,11 @@ OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
if [ -e "$PARTITION" ]; then
PARTITION=$(readlink -e "$PARTITION")
else
PARTITION="/dev/shm"
fi
FNRET=0
is_a_partition "$PARTITION"
if [ "$FNRET" -gt 0 ]; then

8
bin/hardening/1.5.1_bootloader_ownership.sh
View File

@ -66,22 +66,22 @@ check_config() {
is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then
warn "Grub is not installed, not handling configuration"
exit 128
exit 2
fi
does_user_exist "$USER"
if [ "$FNRET" != 0 ]; then
crit "$USER does not exist"
exit 128
exit 2
fi
does_group_exist "$GROUP"
if [ "$FNRET" != 0 ]; then
crit "$GROUP does not exist"
exit 128
exit 2
fi
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
exit 128
exit 2
fi
}

5
bin/hardening/1.5.2_bootloader_password.sh
View File

@ -51,7 +51,6 @@ apply() {
else
ok "$PWD_PATTERN is present in $FILE"
fi
:
}
# This function will check config parameters required
@ -59,11 +58,11 @@ check_config() {
is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then
warn "grub-pc is not installed, not handling configuration"
exit 128
exit 2
fi
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
exit 128
exit 2
fi
}

1
bin/hardening/1.5.3_root_password.sh
View File

@ -38,7 +38,6 @@ apply() {
else
ok "$PATTERN is not present in $FILE"
fi
:
}
# This function will check config parameters required

44
bin/hardening/1.6.1_enable_nx_support.sh
View File

@ -35,31 +35,39 @@ nx_supported_and_enabled() {
# This function will be called if the script status is on enabled / audit mode
audit() {
does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Container detected, cannot read dmesg!"
else
ok "$PATTERN is present in dmesg"
does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Container detected, cannot read dmesg!"
else
ok "$PATTERN is present in dmesg"
does_pattern_exist_in_dmesg "$PATTERN"
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi
fi
}

89
bin/hardening/1.7.1.2_enable_apparmor.sh
View File

@ -21,32 +21,46 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode
audit() {
ERROR=0
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!"
ERROR=1
else
ok "$PACKAGE is installed"
fi
done
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ "$ERROR" = 0 ]; then
ok "$PACKAGES are configured"
is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Grub is not installed in container"
else
warn "Grub is not installed"
exit 128
fi
else
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! "$line" =~ "apparmor=1" ]] || [[ ! "$line" =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ "$ERROR" = 0 ]; then
ok "$PACKAGES are configured"
fi
fi
fi
}
@ -62,26 +76,35 @@ apply() {
fi
done
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
is_pkg_installed "grub-pc"
if [ "$FNRET" != 0 ]; then
if [ "$IS_CONTAINER" -eq 1 ]; then
ok "Grub is not installed in container"
else
warn "You should use grub. Install it yourself"
fi
done
IFS=$d_IFS
if [ $ERROR = 1 ]; then
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
$SUDO_CMD update-grub
else
ok "$PACKAGES are configured"
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for line in $RESULT; do
if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
crit "$line is not configured"
ERROR=1
fi
done
IFS=$d_IFS
if [ $ERROR = 1 ]; then
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor /" /etc/default/grub
$SUDO_CMD update-grub
else
ok "$PACKAGES are configured"
fi
fi
}

16
bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
View File

@ -21,22 +21,25 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode
audit() {
ERROR=0
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!"
ERROR=1
else
ok "$PACKAGE is installed"
fi
done
if [ "$ERROR" = 0 ]; then
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"
if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"
else
crit "Some processes are unconfined while they have defined profile"
else
crit "Some processes are unconfined while they have defined profile"
fi
fi
}
@ -46,6 +49,7 @@ apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGES is absent!"
apt_install "$PACKAGE"
else
ok "$PACKAGE is installed"
fi

28
bin/hardening/1.7.1.4_enforcing_apparmor.sh
View File

@ -21,28 +21,31 @@ PACKAGES='apparmor apparmor-utils'
# This function will be called if the script status is on enabled / audit mode
audit() {
ERROR=0
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!"
ERROR=1
else
ok "$PACKAGE is installed"
fi
done
if [ "$ERROR" = 0 ]; then
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"
else
crit "Some processes are unconfined while they have defined profile"
fi
if [ -n "$RESULT_UNCONFINED" ]; then
ok "No profiles are unconfined"
else
crit "Some processes are unconfined while they have defined profile"
fi
if [ -n "$RESULT_COMPLAIN" ]; then
ok "No profiles are in complain mode"
else
crit "Some processes are in complain mode"
if [ -n "$RESULT_COMPLAIN" ]; then
ok "No profiles are in complain mode"
else
crit "Some processes are in complain mode"
fi
fi
}
@ -52,6 +55,7 @@ apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!"
apt_install "$PACKAGE"
else
ok "$PACKAGE is installed"
fi

53
bin/hardening/2.2.15_mta_localhost.sh
View File

@ -21,39 +21,50 @@ HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking netport ports opened"
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
is_pkg_installed net-tools
if [ "$FNRET" != 0 ]; then
warn "netsat not installed, cannot execute check"
exit 2
else
info "Checking $RESULT"
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
info "Checking netport ports opened"
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else
crit "MTA listens worldwide"
info "Checking $RESULT"
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
else
crit "MTA listens worldwide"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
info "Checking netport ports opened"
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
is_pkg_installed net-tools
if [ "$FNRET" != 0 ]; then
warn "netsat not installed, cannot execute check"
exit 2
else
info "Checking $RESULT"
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
info "Checking netport ports opened"
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else
warn "MTA listens worldwide, correct this considering your MTA"
info "Checking $RESULT"
if grep -q "127.0.0.1" <<<"$RESULT"; then
ok "MTA is configured to localhost only"
else
warn "MTA listens worldwide, correct this considering your MTA"
fi
fi
fi
:
}
# This function will check config parameters required

3
bin/hardening/4.1.11_record_privileged_commands.sh
View File

@ -18,8 +18,7 @@ HARDENING_LEVEL=4
DESCRIPTION="Collect use of privileged commands."
# Find all files with setuid or setgid set
SUDO_CMD='sudo -n'
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
FILE='/etc/audit/audit.rules'

33
bin/hardening/4.2.1.2_enable_syslog-ng.sh
View File

@ -17,29 +17,40 @@ HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Ensure syslog-ng service is activated."
PACKAGE='syslog-ng'
SERVICE_NAME="syslog-ng"
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
ok "$SERVICE_NAME is enabled"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
crit "$SERVICE_NAME is disabled"
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
ok "$SERVICE_NAME is enabled"
else
crit "$SERVICE_NAME is disabled"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
info "Enabling $SERVICE_NAME"
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
crit "$PACKAGE is not installed!"
else
ok "$SERVICE_NAME is enabled"
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" != 0 ]; then
info "Enabling $SERVICE_NAME"
update-rc.d "$SERVICE_NAME" remove >/dev/null 2>&1
update-rc.d "$SERVICE_NAME" defaults >/dev/null 2>&1
else
ok "$SERVICE_NAME is enabled"
fi
fi
}

135
bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh
View File

@ -19,6 +19,7 @@ DESCRIPTION="Create and set permissions on syslog-ng logfiles."
# Note: this is not exacly the same check as the one described in CIS PDF
PACKAGE='syslog-ng'
PERMISSIONS=''
USER=''
GROUP=''
@ -26,14 +27,71 @@ EXCEPTIONS=''
# This function will be called if the script status is on enabled / audit mode
audit() {
FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
else
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
else
FOUND_EXC=0
if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions"
debug "Setting special user:group:perm"
FOUND_EXC=1
local user_bak="$USER"
local group_bak="$GROUP"
local perm_bak="$PERMISSIONS"
USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership ($USER:$GROUP)"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions ($PERMISSIONS)"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm"
USER="$user_bak"
GROUP="$group_bak"
PERMISSIONS="$perm_bak"
fi
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
filedir=$(dirname "${FILE#/var/log/}")
if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
debug "Creating /var/log/$filedir for $FILE"
debug "mkdir -p /var/log/$filedir"
mkdir -p /var/log/"$filedir"
fi
touch "$FILE"
fi
FOUND_EXC=0
if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions"
debug "Setting special user:group:perm"
FOUND_EXC=1
@ -46,15 +104,17 @@ audit() {
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership ($USER:$GROUP)"
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions ($PERMISSIONS)"
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm"
@ -62,57 +122,8 @@ audit() {
GROUP="$group_bak"
PERMISSIONS="$perm_bak"
fi
fi
done
}
# This function will be called if the script status is on enabled mode
apply() {
for FILE in $FILES; do
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
filedir=$(dirname "${FILE#/var/log/}")
if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
debug "Creating /var/log/$filedir for $FILE"
debug "mkdir -p /var/log/$filedir"
mkdir -p /var/log/"$filedir"
fi
touch "$FILE"
fi
FOUND_EXC=0
if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then
debug "$FILE is found in exceptions"
debug "Setting special user:group:perm"
FOUND_EXC=1
local user_bak="$USER"
local group_bak="$GROUP"
local perm_bak="$PERMISSIONS"
USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
if [ "$FOUND_EXC" = 1 ]; then
debug "Resetting user:group:perm"
USER="$user_bak"
GROUP="$group_bak"
PERMISSIONS="$perm_bak"
fi
done
done
fi
}
# This function will create the config file for this check with default values

58
bin/hardening/4.2.1.5_syslog-ng_remote_host.sh
View File

@ -17,40 +17,52 @@ HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Configure syslog-ng to send logs to a remote log host."
PACKAGE='syslog-ng'
PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
# This function will be called if the script status is on enabled / audit mode
audit() {
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
crit "$PATTERN is not present in $FILES"
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
fi
fi
}

98
bin/hardening/4.2.1.6_remote_syslog-ng_acl.sh
View File

@ -17,64 +17,74 @@ HARDENING_LEVEL=3
# shellcheck disable=2034
DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts."
PACKAGE='syslog-ng'
REMOTE_HOST=""
PATTERN='source[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".'
# This function will be called if the script status is on enabled / audit mode
audit() {
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES"
fi
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
info "This is the not the remote host checking that it doesn't accept remote logs"
if [ "$FOUND" = 1 ]; then
crit "$PATTERN is present in $FILES"
else
ok "$PATTERN is not present in $FILES"
fi
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES"
fi
else
info "This is the not the remote host checking that it doesn't accept remote logs"
if [ "$FOUND" = 1 ]; then
crit "$PATTERN is present in $FILES"
else
ok "$PATTERN is not present in $FILES"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
fi
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
info "This is the not the remote host checking that it doesn't accept remote logs"
if [ "$FOUND" = 1 ]; then
warn "$PATTERN is present in $FILES, "
else
ok "$PATTERN is not present in $FILES"
fi
FOUND=0
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L "$SYSLOG_BASEDIR"/conf.d/ -type f)"
for FILE in $FILES; do
does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
if [ "$FNRET" = 0 ]; then
FOUND=1
fi
done
if [[ "$REMOTE_HOST" ]]; then
info "This is the remote host, checking that it only accepts logs from specified zone"
if [ "$FOUND" = 1 ]; then
ok "$PATTERN is present in $FILES"
else
crit "$PATTERN is not present in $FILES, setup the machine to receive the logs"
fi
else
info "This is the not the remote host checking that it doesn't accept remote logs"
if [ "$FOUND" = 1 ]; then
warn "$PATTERN is present in $FILES, "
else
ok "$PATTERN is not present in $FILES"
fi
fi
fi
}

50
bin/hardening/5.1.2_crontab_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

50
bin/hardening/5.1.3_cron_hourly_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

50
bin/hardening/5.1.4_cron_daily_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

50
bin/hardening/5.1.5_cron_weekly_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

50
bin/hardening/5.1.6_cron_monthly_perm_ownership.sh
View File

@ -27,18 +27,19 @@ audit() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
@ -48,20 +49,21 @@ apply() {
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

63
bin/hardening/5.2.1_sshd_conf_perm_ownership.sh
View File

@ -17,6 +17,7 @@ HARDENING_LEVEL=1
# shellcheck disable=2034
DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config."
PACKAGE='openssh-server'
FILE='/etc/ssh/sshd_config'
PERMISSIONS='600'
USER='root'
@ -24,40 +25,50 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed!"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
does_file_exist "$FILE"
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
ok "$PACKAGE is not installed"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
touch "$FILE"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown "$USER":"$GROUP" "$FILE"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
}

34
bin/hardening/99.3.3.4_hosts_allow_permissions.sh
View File

@ -24,22 +24,36 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
ok "$FILE exist"
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
touch "$FILE"
warn "You may want to fill it with allowed networks"
else
ok "$FILE exist"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"

34
bin/hardening/99.3.3.5_hosts_deny_permissions.sh
View File

@ -24,22 +24,36 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
ok "$FILE exist"
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply() {
does_file_exist "$FILE"
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist"
touch "$FILE"
warn "You may want to fill it with allowed networks"
else
ok "$FILE exist"
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"