From 3596fec2df3cdc0b2219fc9f101ea79d335d46a5 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 11 Apr 2016 16:53:57 +0200 Subject: [PATCH] 4.2_enable_nx_support.sh 4.3_enable_randomized_vm_placement.sh 4.4_disable_prelink.sh 4.5_enable_apparmor.sh 5.1.1_disable_nis.sh --- bin/hardening/4.2_enable_nx_support.sh | 53 +++++++++++++++++ .../4.3_enable_randomized_vm_placement.sh | 59 +++++++++++++++++++ bin/hardening/4.4_disable_prelink.sh | 57 ++++++++++++++++++ bin/hardening/4.5_enable_apparmor.sh | 55 +++++++++++++++++ bin/hardening/5.1.1_disable_nis.sh | 55 +++++++++++++++++ etc/conf.d/4.2_enable_nx_support.cfg | 2 + .../4.3_enable_randomized_vm_placement.cfg | 2 + etc/conf.d/4.4_disable_prelink.cfg | 2 + etc/conf.d/4.5_enable_apparmor.cfg | 2 + etc/conf.d/5.1.1_disable_nis.cfg | 2 + lib/utils.sh | 18 +++++- 11 files changed, 305 insertions(+), 2 deletions(-) create mode 100755 bin/hardening/4.2_enable_nx_support.sh create mode 100755 bin/hardening/4.3_enable_randomized_vm_placement.sh create mode 100755 bin/hardening/4.4_disable_prelink.sh create mode 100755 bin/hardening/4.5_enable_apparmor.sh create mode 100755 bin/hardening/5.1.1_disable_nis.sh create mode 100644 etc/conf.d/4.2_enable_nx_support.cfg create mode 100644 etc/conf.d/4.3_enable_randomized_vm_placement.cfg create mode 100644 etc/conf.d/4.4_disable_prelink.cfg create mode 100644 etc/conf.d/4.5_enable_apparmor.cfg create mode 100644 etc/conf.d/5.1.1_disable_nis.cfg diff --git a/bin/hardening/4.2_enable_nx_support.sh b/bin/hardening/4.2_enable_nx_support.sh new file mode 100755 index 0000000..4ca2292 --- /dev/null +++ b/bin/hardening/4.2_enable_nx_support.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# Hardening script skeleton replace this line with proper point treated +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_dmesg $PATTERN + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in dmesg" + else + ok "$PATTERN present in dmesg" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_dmesg $PATTERN + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in dmesg, please go to the bios to activate this option or change for CPU compatible" + else + ok "$PATTERN present in dmesg" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/4.3_enable_randomized_vm_placement.sh b/bin/hardening/4.3_enable_randomized_vm_placement.sh new file mode 100755 index 0000000..c7204aa --- /dev/null +++ b/bin/hardening/4.3_enable_randomized_vm_placement.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# Hardening script skeleton replace this line with proper point treated +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAM='kernel.randomize_va_space' +SYSCTL_EXP_RESULT=2 + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/4.4_disable_prelink.sh b/bin/hardening/4.4_disable_prelink.sh new file mode 100755 index 0000000..52693da --- /dev/null +++ b/bin/hardening/4.4_disable_prelink.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 4.4 Disable Prelink (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='prelink' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + /usr/sbin/prelink -ua + apt-get purge $PACKAGE -y + else + ok "$PACKAGE is absent" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/4.5_enable_apparmor.sh b/bin/hardening/4.5_enable_apparmor.sh new file mode 100755 index 0000000..88b7bbc --- /dev/null +++ b/bin/hardening/4.5_enable_apparmor.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 4.5 Activate AppArmor (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='apparmor' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is absent !" + else + ok "$PACKAGE is installed" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed, please install $PACKAGE and configure it" + else + ok "$PACKAGE is installed" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.1.1_disable_nis.sh b/bin/hardening/5.1.1_disable_nis.sh new file mode 100755 index 0000000..afe81f5 --- /dev/null +++ b/bin/hardening/5.1.1_disable_nis.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.1 Ensure NIS is not installed (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='nis' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + else + ok "$PACKAGE is absent" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/4.2_enable_nx_support.cfg b/etc/conf.d/4.2_enable_nx_support.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/4.2_enable_nx_support.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/4.3_enable_randomized_vm_placement.cfg b/etc/conf.d/4.3_enable_randomized_vm_placement.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/4.3_enable_randomized_vm_placement.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/4.4_disable_prelink.cfg b/etc/conf.d/4.4_disable_prelink.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/4.4_disable_prelink.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/4.5_enable_apparmor.cfg b/etc/conf.d/4.5_enable_apparmor.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/4.5_enable_apparmor.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/5.1.1_disable_nis.cfg b/etc/conf.d/5.1.1_disable_nis.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/5.1.1_disable_nis.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index 6fafe73..594eb70 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -10,7 +10,7 @@ has_sysctl_param_expected_result() { if [ "$(sysctl $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then FNRET=0 - elif [ $? != 0 ]; then + elif [ $? = 255 ]; then debug "$SYSCTL_PARAM does not exist" FNRET=255 else @@ -23,7 +23,7 @@ set_sysctl_param() { local SYSCTL_PARAM=$1 local VALUE=$2 debug "Setting $SYSCTL_PARAM to $VALUE" - if [ "$(sysctl -w $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then + if [ "$(sysctl -w $SYSCTL_PARAM=$VALUE 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then FNRET=0 elif [ $? != 0 ]; then debug "$SYSCTL_PARAM does not exist" @@ -34,6 +34,18 @@ set_sysctl_param() { fi } +# +# Dmesg Manipulation +# + +does_pattern_exists_in_dmesg() { + local PATTERN=$1 + if $(dmesg | grep -qE "$PATTERN"); then + FNRET=0 + else + FNRET=1 + fi +} # # File manipulation @@ -275,8 +287,10 @@ is_pkg_installed() { PKG_NAME=$1 if $(dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install ') ; then + debug "$PKG_NAME is installed" FNRET=0 else + debug "$PKG_NAME is not installed" FNRET=1 fi }