From 1f873a14f6ad3d61b3549afc4d32d5340712c7c0 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Wed, 13 Apr 2016 22:51:18 +0200 Subject: [PATCH] 7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh --- bin/hardening/7.4.1_install_tcp_wrapper.sh | 55 +++++++++++++++ bin/hardening/7.4.2_hosts_allow.sh | 56 +++++++++++++++ .../7.4.3_hosts_allow_permissions.sh | 56 +++++++++++++++ bin/hardening/7.4.4_hosts_deny.sh | 70 +++++++++++++++++++ bin/hardening/7.4.5_hosts_deny_permissions.sh | 56 +++++++++++++++ bin/hardening/7.5.1_disable_dccp.sh | 42 +++++++++++ bin/hardening/7.5.2_disable_sctp.sh | 42 +++++++++++ bin/hardening/7.5.3_disable_rds.sh | 42 +++++++++++ bin/hardening/7.5.4_disable_tipc.sh | 42 +++++++++++ bin/hardening/7.6_disable_wireless.sh | 42 +++++++++++ bin/hardening/7.7_enable_firewall.sh | 58 +++++++++++++++ bin/hardening/8.0_install_auditd.sh | 57 +++++++++++++++ bin/hardening/8.1.1.1_audit_log_storage.sh | 70 +++++++++++++++++++ etc/conf.d/7.4.1_install_tcp_wrapper.cfg | 2 + etc/conf.d/7.4.2_hosts_allow.cfg | 2 + etc/conf.d/7.4.3_hosts_allow_permissions.cfg | 2 + etc/conf.d/7.4.4_hosts_deny.cfg | 2 + etc/conf.d/7.4.5_hosts_deny_permissions.cfg | 2 + etc/conf.d/7.5.1_disable_dccp.cfg | 2 + etc/conf.d/7.5.2_disable_sctp.cfg | 2 + etc/conf.d/7.6_disable_wireless.cfg | 2 + etc/conf.d/7.7_enable_firewall.cfg | 2 + etc/conf.d/8.0_install_auditd.cfg | 2 + etc/conf.d/8.1.1.1_audit_log_storage.cfg | 2 + 24 files changed, 710 insertions(+) create mode 100755 bin/hardening/7.4.1_install_tcp_wrapper.sh create mode 100755 bin/hardening/7.4.2_hosts_allow.sh create mode 100755 bin/hardening/7.4.3_hosts_allow_permissions.sh create mode 100755 bin/hardening/7.4.4_hosts_deny.sh create mode 100755 bin/hardening/7.4.5_hosts_deny_permissions.sh create mode 100755 bin/hardening/7.5.1_disable_dccp.sh create mode 100755 bin/hardening/7.5.2_disable_sctp.sh create mode 100755 bin/hardening/7.5.3_disable_rds.sh create mode 100755 bin/hardening/7.5.4_disable_tipc.sh create mode 100755 bin/hardening/7.6_disable_wireless.sh create mode 100755 bin/hardening/7.7_enable_firewall.sh create mode 100755 bin/hardening/8.0_install_auditd.sh create mode 100755 bin/hardening/8.1.1.1_audit_log_storage.sh create mode 100644 etc/conf.d/7.4.1_install_tcp_wrapper.cfg create mode 100644 etc/conf.d/7.4.2_hosts_allow.cfg create mode 100644 etc/conf.d/7.4.3_hosts_allow_permissions.cfg create mode 100644 etc/conf.d/7.4.4_hosts_deny.cfg create mode 100644 etc/conf.d/7.4.5_hosts_deny_permissions.cfg create mode 100644 etc/conf.d/7.5.1_disable_dccp.cfg create mode 100644 etc/conf.d/7.5.2_disable_sctp.cfg create mode 100644 etc/conf.d/7.6_disable_wireless.cfg create mode 100644 etc/conf.d/7.7_enable_firewall.cfg create mode 100644 etc/conf.d/8.0_install_auditd.cfg create mode 100644 etc/conf.d/8.1.1.1_audit_log_storage.cfg diff --git a/bin/hardening/7.4.1_install_tcp_wrapper.sh b/bin/hardening/7.4.1_install_tcp_wrapper.sh new file mode 100755 index 0000000..751eeda --- /dev/null +++ b/bin/hardening/7.4.1_install_tcp_wrapper.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.4.1 Install TCP Wrappers (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='tcpd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.4.2_hosts_allow.sh b/bin/hardening/7.4.2_hosts_allow.sh new file mode 100755 index 0000000..a0de311 --- /dev/null +++ b/bin/hardening/7.4.2_hosts_allow.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.4.2 Create /etc/hosts.allow (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/hosts.allow' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + warn "You may want to fill it with allowed networks" + else + ok "$FILE exist" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.4.3_hosts_allow_permissions.sh b/bin/hardening/7.4.3_hosts_allow_permissions.sh new file mode 100755 index 0000000..a6536ae --- /dev/null +++ b/bin/hardening/7.4.3_hosts_allow_permissions.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.4.3 Verify Permissions on /etc/hosts.allow (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/hosts.allow' +PERMISSIONS='644' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.4.4_hosts_deny.sh b/bin/hardening/7.4.4_hosts_deny.sh new file mode 100755 index 0000000..7403589 --- /dev/null +++ b/bin/hardening/7.4.4_hosts_deny.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.4.4 Create /etc/hosts.deny (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/hosts.deny' +PATTERN='ALL: ALL' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist, checking configuration" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE, we have to deny everything" + else + ok "$PATTERN present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + else + ok "$FILE exist" + fi + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE, we have to deny everything" + add_end_of_file $FILE "$PATTERN" + warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING" + else + ok "$PATTERN present in $FILE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.4.5_hosts_deny_permissions.sh b/bin/hardening/7.4.5_hosts_deny_permissions.sh new file mode 100755 index 0000000..50aae37 --- /dev/null +++ b/bin/hardening/7.4.5_hosts_deny_permissions.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.4.5 Verify Permissions on /etc/hosts.deny (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/hosts.deny' +PERMISSIONS='644' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.5.1_disable_dccp.sh b/bin/hardening/7.5.1_disable_dccp.sh new file mode 100755 index 0000000..b159a29 --- /dev/null +++ b/bin/hardening/7.5.1_disable_dccp.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.5.1 Disable DCCP (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.5.2_disable_sctp.sh b/bin/hardening/7.5.2_disable_sctp.sh new file mode 100755 index 0000000..d521282 --- /dev/null +++ b/bin/hardening/7.5.2_disable_sctp.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.5.2 Disable SCTP (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.5.3_disable_rds.sh b/bin/hardening/7.5.3_disable_rds.sh new file mode 100755 index 0000000..d521282 --- /dev/null +++ b/bin/hardening/7.5.3_disable_rds.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.5.2 Disable SCTP (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.5.4_disable_tipc.sh b/bin/hardening/7.5.4_disable_tipc.sh new file mode 100755 index 0000000..d521282 --- /dev/null +++ b/bin/hardening/7.5.4_disable_tipc.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.5.2 Disable SCTP (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.6_disable_wireless.sh b/bin/hardening/7.6_disable_wireless.sh new file mode 100755 index 0000000..d792361 --- /dev/null +++ b/bin/hardening/7.6_disable_wireless.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.6 Deactivate Wireless Interfaces (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.7_enable_firewall.sh b/bin/hardening/7.7_enable_firewall.sh new file mode 100755 index 0000000..22ce33c --- /dev/null +++ b/bin/hardening/7.7_enable_firewall.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.4.1 Install TCP Wrappers (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick note here : CIS recommends your iptables rules to be persistent. +# Do as you want, but this script does not handle this + +PACKAGE='iptables' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.0_install_auditd.sh b/bin/hardening/8.0_install_auditd.sh new file mode 100755 index 0000000..83af3bd --- /dev/null +++ b/bin/hardening/8.0_install_auditd.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.0 Install auditd +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Note : Not port of the CIS guide, but what's the point configuring a software not installed ? :) + +PACKAGE='auditd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.1.1_audit_log_storage.sh b/bin/hardening/8.1.1.1_audit_log_storage.sh new file mode 100755 index 0000000..85cfc3c --- /dev/null +++ b/bin/hardening/8.1.1.1_audit_log_storage.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.1.1 Configure Audit Log Storage Size (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/audit/auditd.conf' +PATTERN='max_log_file' +VALUE=5 + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist, checking configuration" + does_pattern_exists_in_file $FILE "^$PATTERN[[:space:]]" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE, we have to deny everything" + else + ok "$PATTERN present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + else + ok "$FILE exist" + fi + does_pattern_exists_in_file $FILE "^$PATTERN[[:space:]]" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILE, adding it" + add_end_of_file $FILE "$PATTERN = $VALUE" + else + ok "$PATTERN present in $FILE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/7.4.1_install_tcp_wrapper.cfg b/etc/conf.d/7.4.1_install_tcp_wrapper.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.4.1_install_tcp_wrapper.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.4.2_hosts_allow.cfg b/etc/conf.d/7.4.2_hosts_allow.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.4.2_hosts_allow.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.4.3_hosts_allow_permissions.cfg b/etc/conf.d/7.4.3_hosts_allow_permissions.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.4.3_hosts_allow_permissions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.4.4_hosts_deny.cfg b/etc/conf.d/7.4.4_hosts_deny.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.4.4_hosts_deny.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.4.5_hosts_deny_permissions.cfg b/etc/conf.d/7.4.5_hosts_deny_permissions.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.4.5_hosts_deny_permissions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.5.1_disable_dccp.cfg b/etc/conf.d/7.5.1_disable_dccp.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.5.1_disable_dccp.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.5.2_disable_sctp.cfg b/etc/conf.d/7.5.2_disable_sctp.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.5.2_disable_sctp.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.6_disable_wireless.cfg b/etc/conf.d/7.6_disable_wireless.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.6_disable_wireless.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.7_enable_firewall.cfg b/etc/conf.d/7.7_enable_firewall.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.7_enable_firewall.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.0_install_auditd.cfg b/etc/conf.d/8.0_install_auditd.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.0_install_auditd.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.1.1_audit_log_storage.cfg b/etc/conf.d/8.1.1.1_audit_log_storage.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.1.1_audit_log_storage.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled