elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-06-24 03:24:34 +02:00
Code Issues Packages Projects Releases Wiki Activity

Renum 1.x files to comply with debian10 CIS

Browse Source 
renamed:    bin/hardening/1.4.1_bootloader_ownership.sh -> bin/hardening/1.5.1_bootloader_ownership.sh
	renamed:    bin/hardening/1.4.2_bootloader_password.sh -> bin/hardening/1.5.2_bootloader_password.sh
	renamed:    bin/hardening/1.4.3_root_password.sh -> bin/hardening/1.5.3_root_password.sh
	renamed:    bin/hardening/1.5.2_enable_nx_support.sh -> bin/hardening/1.6.1_enable_nx_support.sh
	renamed:    bin/hardening/1.5.3_enable_randomized_vm_placement.sh -> bin/hardening/1.6.2_enable_randomized_vm_placement.sh
	renamed:    bin/hardening/1.5.4_disable_prelink.sh -> bin/hardening/1.6.3_disable_prelink.sh
	renamed:    bin/hardening/1.5.1_restrict_core_dumps.sh -> bin/hardening/1.6.4_restrict_core_dumps.sh
	renamed:    bin/hardening/1.6.2.1_enable_apparmor.sh -> bin/hardening/1.7.2.2_enable_apparmor.sh
	renamed:    bin/hardening/1.7.1.1_remove_os_info_motd.sh -> bin/hardening/1.8.1.1_remove_os_info_motd.sh
	renamed:    bin/hardening/1.7.1.2_remove_os_info_issue.sh -> bin/hardening/1.8.1.2_remove_os_info_issue.sh
	renamed:    bin/hardening/1.7.1.3_remove_os_info_issue_net.sh -> bin/hardening/1.8.1.3_remove_os_info_issue_net.sh
	renamed:    bin/hardening/1.7.1.4_motd_perms.sh -> bin/hardening/1.8.1.4_motd_perms.sh
	renamed:    bin/hardening/1.7.1.5_etc_issue_perms.sh -> bin/hardening/1.8.1.5_etc_issue_perms.sh
	renamed:    bin/hardening/1.7.1.6_etc_issue_net_perms.sh -> bin/hardening/1.8.1.6_etc_issue_net_perms.sh
	renamed:    bin/hardening/1.7.2_graphical_warning_banners.sh -> bin/hardening/1.8.2_graphical_warning_banners.sh
	renamed:    bin/hardening/1.8_install_updates.sh -> bin/hardening/1.9_install_updates.sh
	renamed:    tests/hardening/1.4.1_bootloader_ownership.sh -> tests/hardening/1.5.1_bootloader_ownership.sh
	renamed:    tests/hardening/1.4.2_bootloader_password.sh -> tests/hardening/1.5.2_bootloader_password.sh
	renamed:    tests/hardening/1.4.3_root_password.sh -> tests/hardening/1.5.3_root_password.sh
	renamed:    tests/hardening/1.5.2_enable_nx_support.sh -> tests/hardening/1.6.1_enable_nx_support.sh
	renamed:    tests/hardening/1.5.3_enable_randomized_vm_placement.sh -> tests/hardening/1.6.2_enable_randomized_vm_placement.sh
	renamed:    tests/hardening/1.5.4_disable_prelink.sh -> tests/hardening/1.6.3_disable_prelink.sh
	renamed:    tests/hardening/1.5.1_restrict_core_dumps.sh -> tests/hardening/1.6.4_restrict_core_dumps.sh
	renamed:    tests/hardening/1.6.2.1_enable_apparmor.sh -> tests/hardening/1.7.2.2_enable_apparmor.sh
	renamed:    tests/hardening/1.7.1.1_remove_os_info_motd.sh -> tests/hardening/1.8.1.1_remove_os_info_motd.sh
	renamed:    tests/hardening/1.7.1.2_remove_os_info_issue.sh -> tests/hardening/1.8.1.2_remove_os_info_issue.sh
	renamed:    tests/hardening/1.7.1.3_remove_os_info_issue_net.sh -> tests/hardening/1.8.1.3_remove_os_info_issue_net.sh
	renamed:    tests/hardening/1.7.1.4_motd_perms.sh -> tests/hardening/1.8.1.4_motd_perms.sh
	new file:   tests/hardening/1.8.1.5_etc_issue_perms.sh
	new file:   tests/hardening/1.8.1.6_etc_issue_net_perms.sh
	renamed:    tests/hardening/1.7.2_graphical_warning_banners.sh -> tests/hardening/1.8.2_graphical_warning_banners.sh
	renamed:    tests/hardening/1.8_install_updates.sh -> tests/hardening/1.9_install_updates.sh
This commit is contained in:
Thibault Ayanides
2020-12-21 16:09:27 +01:00
parent 87bf29b5fe
commit 2034aa7b8a
32 changed files with 38 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
bin/hardening/1.6.4_restrict_core_dumps.sh Executable file
View File

@ -0,0 +1,103 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# 1.6.4 Ensure core dumps are restricted (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Restrict core dumps."
LIMIT_FILE='/etc/security/limits.conf'
LIMIT_DIR='/etc/security/limits.d'
LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
SYSCTL_PARAM='fs.suid_dumpable'
SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode
audit() {
SEARCH_RES=0
LIMIT_FILES=""
if $SUDO_CMD [ -d "$LIMIT_DIR" ]; then
for file in $($SUDO_CMD ls "$LIMIT_DIR"/*.conf 2>/dev/null); do
LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
done
fi
debug "Files to search $LIMIT_FILE $LIMIT_FILES"
for file in $LIMIT_FILE $LIMIT_FILES; do
does_pattern_exist_in_file "$file" "$LIMIT_PATTERN"
if [ "$FNRET" != 0 ]; then
debug "$LIMIT_PATTERN not present in $file"
else
ok "$LIMIT_PATTERN present in $file"
SEARCH_RES=1
break
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES"
fi
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will be called if the script status is on enabled mode
apply() {
does_pattern_exist_in_file "$LIMIT_FILE" "$LIMIT_PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
add_end_of_file $LIMIT_FILE "* hard core 0"
else
ok "$LIMIT_PATTERN present in $LIMIT_FILE"
fi
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi