mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-23 14:35:26 +01:00
4.2_enable_nx_support.sh 4.3_enable_randomized_vm_placement.sh 4.4_disable_prelink.sh 4.5_enable_apparmor.sh 5.1.1_disable_nis.sh
This commit is contained in:
parent
f3e537072a
commit
3596fec2df
53
bin/hardening/4.2_enable_nx_support.sh
Executable file
53
bin/hardening/4.2_enable_nx_support.sh
Executable file
@ -0,0 +1,53 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# Hardening script skeleton replace this line with proper point treated
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_pattern_exists_in_dmesg $PATTERN
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PATTERN not present in dmesg"
|
||||
else
|
||||
ok "$PATTERN present in dmesg"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
does_pattern_exists_in_dmesg $PATTERN
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PATTERN not present in dmesg, please go to the bios to activate this option or change for CPU compatible"
|
||||
else
|
||||
ok "$PATTERN present in dmesg"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
59
bin/hardening/4.3_enable_randomized_vm_placement.sh
Executable file
59
bin/hardening/4.3_enable_randomized_vm_placement.sh
Executable file
@ -0,0 +1,59 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# Hardening script skeleton replace this line with proper point treated
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
SYSCTL_PARAM='kernel.randomize_va_space'
|
||||
SYSCTL_EXP_RESULT=2
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !"
|
||||
elif [ $FNRET = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist, typo ?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
elif [ $FNRET = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist, typo ?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
57
bin/hardening/4.4_disable_prelink.sh
Executable file
57
bin/hardening/4.4_disable_prelink.sh
Executable file
@ -0,0 +1,57 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 4.4 Disable Prelink (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGE='prelink'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed !"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
/usr/sbin/prelink -ua
|
||||
apt-get purge $PACKAGE -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
55
bin/hardening/4.5_enable_apparmor.sh
Executable file
55
bin/hardening/4.5_enable_apparmor.sh
Executable file
@ -0,0 +1,55 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 4.5 Activate AppArmor (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGE='apparmor'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PACKAGE is absent !"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
55
bin/hardening/5.1.1_disable_nis.sh
Executable file
55
bin/hardening/5.1.1_disable_nis.sh
Executable file
@ -0,0 +1,55 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 5.1.1 Ensure NIS is not installed (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGE='nis'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed !"
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
apt-get purge $PACKAGE -y
|
||||
else
|
||||
ok "$PACKAGE is absent"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
2
etc/conf.d/4.2_enable_nx_support.cfg
Normal file
2
etc/conf.d/4.2_enable_nx_support.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/4.3_enable_randomized_vm_placement.cfg
Normal file
2
etc/conf.d/4.3_enable_randomized_vm_placement.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/4.4_disable_prelink.cfg
Normal file
2
etc/conf.d/4.4_disable_prelink.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/4.5_enable_apparmor.cfg
Normal file
2
etc/conf.d/4.5_enable_apparmor.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/5.1.1_disable_nis.cfg
Normal file
2
etc/conf.d/5.1.1_disable_nis.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
18
lib/utils.sh
18
lib/utils.sh
@ -10,7 +10,7 @@ has_sysctl_param_expected_result() {
|
||||
|
||||
if [ "$(sysctl $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
|
||||
FNRET=0
|
||||
elif [ $? != 0 ]; then
|
||||
elif [ $? = 255 ]; then
|
||||
debug "$SYSCTL_PARAM does not exist"
|
||||
FNRET=255
|
||||
else
|
||||
@ -23,7 +23,7 @@ set_sysctl_param() {
|
||||
local SYSCTL_PARAM=$1
|
||||
local VALUE=$2
|
||||
debug "Setting $SYSCTL_PARAM to $VALUE"
|
||||
if [ "$(sysctl -w $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
|
||||
if [ "$(sysctl -w $SYSCTL_PARAM=$VALUE 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
|
||||
FNRET=0
|
||||
elif [ $? != 0 ]; then
|
||||
debug "$SYSCTL_PARAM does not exist"
|
||||
@ -34,6 +34,18 @@ set_sysctl_param() {
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Dmesg Manipulation
|
||||
#
|
||||
|
||||
does_pattern_exists_in_dmesg() {
|
||||
local PATTERN=$1
|
||||
if $(dmesg | grep -qE "$PATTERN"); then
|
||||
FNRET=0
|
||||
else
|
||||
FNRET=1
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# File manipulation
|
||||
@ -275,8 +287,10 @@ is_pkg_installed()
|
||||
{
|
||||
PKG_NAME=$1
|
||||
if $(dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install ') ; then
|
||||
debug "$PKG_NAME is installed"
|
||||
FNRET=0
|
||||
else
|
||||
debug "$PKG_NAME is not installed"
|
||||
FNRET=1
|
||||
fi
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user