elie
/
debian-cis
mirror of https://github.com/ovh/debian-cis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

IMP(shfmt): add shell formatter

This commit is contained in:
Thibault Ayanides 2020-12-04 14:08:01 +01:00
parent bc1aa65b91
commit 3a342b784a
300 changed files with 2370 additions and 2427 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -0,0 +1 @@
tmp/shfmt

142
bin/hardening.sh
View File

@ -28,7 +28,7 @@ SUDO_MODE=''
BATCH_MODE=''
usage() {
cat << EOF
cat <<EOF
$LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
--help -h
@ -117,48 +117,48 @@ declare -a TEST_LIST ALLOWED_SERVICES_LIST
while [[ $# > 0 ]]; do
ARG="$1"
case $ARG in
--audit)
AUDIT=1
--audit)
AUDIT=1
;;
--audit-all)
AUDIT_ALL=1
--audit-all)
AUDIT_ALL=1
;;
--audit-all-enable-passed)
AUDIT_ALL_ENABLE_PASSED=1
--audit-all-enable-passed)
AUDIT_ALL_ENABLE_PASSED=1
;;
--apply)
APPLY=1
--apply)
APPLY=1
;;
--allow-service-list)
ALLOW_SERVICE_LIST=1
--allow-service-list)
ALLOW_SERVICE_LIST=1
;;
--create-config-files-only)
CREATE_CONFIG=1
--create-config-files-only)
CREATE_CONFIG=1
;;
--allow-service)
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
shift
--allow-service)
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
shift
;;
--set-hardening-level)
SET_HARDENING_LEVEL="$2"
shift
--set-hardening-level)
SET_HARDENING_LEVEL="$2"
shift
;;
--only)
TEST_LIST[${#TEST_LIST[@]}]="$2"
shift
--only)
TEST_LIST[${#TEST_LIST[@]}]="$2"
shift
;;
--sudo)
SUDO_MODE='--sudo'
--sudo)
SUDO_MODE='--sudo'
;;
--batch)
BATCH_MODE='--batch'
LOGLEVEL=ok
--batch)
BATCH_MODE='--batch'
LOGLEVEL=ok
;;
-h|--help)
usage
-h | --help)
usage
;;
*)
usage
*)
usage
;;
esac
shift
@ -174,20 +174,20 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
# If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
declare -a HARDENING_EXCEPTIONS_LIST
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
@ -198,8 +198,8 @@ if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
fi
# If --set-hardening-level is specified, don't run anything, just apply config for each script
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ]; then
if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
exit 1
fi
@ -207,7 +207,7 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
if [ -z "$script_level" ] ; then
if [ -z "$script_level" ]; then
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
continue
fi
@ -226,11 +226,11 @@ fi
# Parse every scripts and execute them in the required mode
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
if [ ${#TEST_LIST[@]} -gt 0 ] ; then
if [ ${#TEST_LIST[@]} -gt 0 ]; then
# --only X has been specified at least once, is this script in my list ?
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename $SCRIPT)")
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
# not in the list
continue
fi
@ -258,30 +258,30 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
case $SCRIPT_EXITCODE in
0)
debug "$SCRIPT passed"
PASSED_CHECKS=$((PASSED_CHECKS+1))
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
fi
0)
debug "$SCRIPT passed"
PASSED_CHECKS=$((PASSED_CHECKS + 1))
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
fi
;;
1)
debug "$SCRIPT failed"
FAILED_CHECKS=$((FAILED_CHECKS+1))
1)
debug "$SCRIPT failed"
FAILED_CHECKS=$((FAILED_CHECKS + 1))
;;
2)
debug "$SCRIPT is disabled"
DISABLED_CHECKS=$((DISABLED_CHECKS+1))
2)
debug "$SCRIPT is disabled"
DISABLED_CHECKS=$((DISABLED_CHECKS + 1))
;;
esac
TOTAL_CHECKS=$((TOTAL_CHECKS+1))
TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
done
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS))
if [ $BATCH_MODE ]; then
BATCH_SUMMARY="AUDIT_SUMMARY "
@ -289,7 +289,7 @@ if [ $BATCH_MODE ]; then
BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
else
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
@ -297,17 +297,17 @@ if [ $BATCH_MODE ]; then
becho $BATCH_SUMMARY
else
printf "%40s\n" "################### SUMMARY ###################"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<< "scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
else
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
fi
fi

13
bin/hardening/1.1.1.1_disable_freevxfs.sh
View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of freevxfs filesystems."
KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
@ -32,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -48,18 +47,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

13
bin/hardening/1.1.1.2_disable_jffs2.sh
View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of jffs2 filesystems."
KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
@ -32,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -48,18 +47,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

13
bin/hardening/1.1.1.3_disable_hfs.sh
View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of hfs filesystems."
KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_FILE="hfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
@ -32,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -48,18 +47,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

13
bin/hardening/1.1.1.4_disable_hfsplus.sh
View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of hfsplus filesystems."
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_FILE="hfsplus"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
@ -32,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -48,18 +47,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

13
bin/hardening/1.1.1.5_disable_udf.sh
View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of udf filesystems."
KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_FILE="udf"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
@ -32,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -48,18 +47,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

13
bin/hardening/1.1.1.6_disable_cramfs.sh
View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of cramfs filesystems."
KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
@ -33,7 +32,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -50,18 +49,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

13
bin/hardening/1.1.1.7_disable_squashfs.sh
View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of squashfs filesytems."
KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_FILE="squashfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
@ -33,7 +32,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -50,18 +49,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

18
bin/hardening/1.1.10_var_tmp_noexec.sh
View File

@ -22,7 +22,7 @@ PARTITION="/var/tmp"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -40,16 +40,16 @@ audit () {
has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -62,7 +62,7 @@ apply () {
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
fi
}
# This function will check config parameters required
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.1.11_var_log_partition.sh
View File

@ -21,7 +21,7 @@ DESCRIPTION="/var/log on separate partition."
PARTITION="/var/log"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -41,7 +41,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -60,18 +60,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.1.12_var_log_audit_partition.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="/var/log/audit on a separate partition."
PARTITION="/var/log/audit"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -40,7 +40,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -59,18 +59,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.1.13_home_partition.sh
View File

@ -21,7 +21,7 @@ DESCRIPTION="/home on a separate partition."
PARTITION="/home"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -41,7 +41,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -60,18 +60,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.1.14_home_nodev.sh
View File

@ -22,7 +22,7 @@ PARTITION="/home"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -49,7 +49,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

10
bin/hardening/1.1.15_run_shm_nodev.sh
View File

@ -22,7 +22,7 @@ PARTITION="/run/shm"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
FNRET=0
@ -50,7 +50,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -74,12 +74,12 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi

10
bin/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -22,7 +22,7 @@ PARTITION="/run/shm"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
FNRET=0
@ -50,7 +50,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -74,12 +74,12 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi

10
bin/hardening/1.1.17_run_shm_noexec.sh
View File

@ -22,7 +22,7 @@ PARTITION="/run/shm"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
FNRET=0
@ -50,7 +50,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -74,12 +74,12 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi

12
bin/hardening/1.1.18_removable_device_nodev.sh
View File

@ -24,7 +24,7 @@ PARTITION="/media\S*"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying if there is $PARTITION like partition"
FNRET=0
is_a_partition "$PARTITION"
@ -44,7 +44,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 1 ]; then
@ -61,18 +61,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.1.19_removable_device_nosuid.sh
View File

@ -24,7 +24,7 @@ PARTITION="/media\S*"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying if there is $PARTITION like partition"
FNRET=0
is_a_partition "$PARTITION"
@ -44,7 +44,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 1 ]; then
@ -61,18 +61,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.1.20_removable_device_noexec.sh
View File

@ -24,7 +24,7 @@ PARTITION="/media\S*"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying if there is $PARTITION like partition"
FNRET=0
is_a_partition "$PARTITION"
@ -44,7 +44,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 1 ]; then
@ -61,18 +61,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

18
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -18,13 +18,13 @@ HARDENING_LEVEL=2
DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Checking if setuid is set on world writable Directories"
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "All world writable directories have a sticky bit"
@ -32,7 +32,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
@ -49,18 +49,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

14
bin/hardening/1.1.22_disable_automounting.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable automounting of devices."
SERVICE_NAME="autofs"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
@ -31,12 +31,12 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
info "Disabling $SERVICE_NAME"
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
update-rc.d $SERVICE_NAME remove >/dev/null 2>&1
else
ok "$SERVICE_NAME is disabled"
fi
@ -49,18 +49,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.1.2_tmp_partition.sh
View File

@ -21,7 +21,7 @@ DESCRIPTION="Ensure /tmp is configured (Scored)"
PARTITION="/tmp"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -41,7 +41,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -60,18 +60,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

18
bin/hardening/1.1.3_tmp_nodev.sh
View File

@ -22,7 +22,7 @@ PARTITION="/tmp"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -40,16 +40,16 @@ audit () {
has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -62,7 +62,7 @@ apply () {
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
fi
}
# This function will check config parameters required
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.1.4_tmp_nosuid.sh
View File

@ -22,7 +22,7 @@ PARTITION="/tmp"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -49,7 +49,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.1.5_tmp_noexec.sh
View File

@ -22,7 +22,7 @@ PARTITION="/tmp"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -49,7 +49,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

14
bin/hardening/1.1.6_var_partition.sh
View File

@ -21,7 +21,7 @@ DESCRIPTION="/var on a separate partition."
PARTITION="/var"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -38,12 +38,12 @@ audit () {
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

14
bin/hardening/1.1.7_var_tmp_partition.sh
View File

@ -21,7 +21,7 @@ DESCRIPTION="/var/tmp on a separate partition."
PARTITION="/var/tmp"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -38,12 +38,12 @@ audit () {
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

18
bin/hardening/1.1.8_var_tmp_nodev.sh
View File

@ -22,7 +22,7 @@ PARTITION="/var/tmp"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -40,16 +40,16 @@ audit () {
has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -62,7 +62,7 @@ apply () {
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
fi
}
# This function will check config parameters required
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

18
bin/hardening/1.1.9_var_tmp_nosuid.sh
View File

@ -22,7 +22,7 @@ PARTITION="/var/tmp"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -40,16 +40,16 @@ audit () {
has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -62,7 +62,7 @@ apply () {
elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION"
fi
fi
}
# This function will check config parameters required
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

16
bin/hardening/1.4.1_bootloader_ownership.sh
View File

@ -25,24 +25,24 @@ GROUP='root'
PERMISSIONS='400'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
fi
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
@ -87,18 +87,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.4.2_bootloader_password.sh
View File

@ -22,7 +22,7 @@ USER_PATTERN="^set superusers"
PWD_PATTERN="^password_pbkdf2"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$USER_PATTERN not present in $FILE"
@ -38,7 +38,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$USER_PATTERN not present in $FILE, please configure password for grub"
@ -69,18 +69,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.4.3_root_password.sh
View File

@ -21,7 +21,7 @@ FILE="/etc/shadow"
PATTERN="^root:[*\!]:"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_pattern_exist_in_file $FILE $PATTERN
if [ "$FNRET" != 1 ]; then
crit "$PATTERN is present in $FILE"
@ -31,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_pattern_exist_in_file $FILE $PATTERN
if [ "$FNRET" != 1 ]; then
warn "$PATTERN is present in $FILE, please put a root password"
@ -48,18 +48,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

14
bin/hardening/1.5.1_restrict_core_dumps.sh
View File

@ -24,7 +24,7 @@ SYSCTL_PARAM='fs.suid_dumpable'
SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
SEARCH_RES=0
LIMIT_FILES=""
if $SUDO_CMD [ -d $LIMIT_DIR ]; then
@ -57,7 +57,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ "$FNRET" != 0 ]; then
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
@ -73,7 +73,7 @@ apply () {
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
fi
}
@ -84,18 +84,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.5.2_enable_nx_support.sh
View File

@ -34,7 +34,7 @@ nx_supported_and_enabled() {
}
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_pattern_exist_in_dmesg $PATTERN
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
@ -49,7 +49,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_pattern_exist_in_dmesg $PATTERN
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
@ -70,18 +70,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.5.3_enable_randomized_vm_placement.sh
View File

@ -21,7 +21,7 @@ SYSCTL_PARAM='kernel.randomize_va_space'
SYSCTL_EXP_RESULT=2
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
@ -33,7 +33,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
@ -52,18 +52,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.5.4_disable_prelink.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable prelink to prevent libraries compromission."
PACKAGE='prelink'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
@ -31,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
@ -51,18 +51,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

20
bin/hardening/1.6.2.1_enable_apparmor.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Activate AppArmor to enforce permissions control."
PACKAGE='apparmor'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!"
@ -30,7 +30,7 @@ audit () {
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
@ -44,12 +44,12 @@ audit () {
IFS=$d_IFS
if [ $ERROR = 0 ]; then
ok "$PACKAGE is configured"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
@ -59,7 +59,7 @@ apply () {
ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
@ -71,7 +71,7 @@ apply () {
fi
done
IFS=$d_IFS
if [ $ERROR = 1 ]; then
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
$SUDO_CMD update-grub
@ -87,18 +87,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.7.1.1_remove_os_info_motd.sh
View File

@ -21,7 +21,7 @@ FILE='/etc/motd'
PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE"
@ -31,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE"
@ -48,18 +48,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.7.1.2_remove_os_info_issue.sh
View File

@ -21,7 +21,7 @@ FILE='/etc/issue'
PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE"
@ -31,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE"
@ -48,18 +48,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.7.1.3_remove_os_info_issue_net.sh
View File

@ -21,7 +21,7 @@ FILE='/etc/issue.net'
PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE"
@ -31,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE"
@ -48,18 +48,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.7.1.4_motd_perms.sh
View File

@ -23,7 +23,7 @@ GROUP='root'
FILE='/etc/motd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
@ -44,7 +44,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.7.1.5_etc_issue_perms.sh
View File

@ -23,7 +23,7 @@ GROUP='root'
FILE='/etc/issue'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
@ -44,7 +44,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.7.1.6_etc_issue_net_perms.sh
View File

@ -23,7 +23,7 @@ GROUP='root'
FILE='/etc/issue.net'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
@ -44,7 +44,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/1.7.2_graphical_warning_banners.sh
View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Set graphical warning banner."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -34,18 +34,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

16
bin/hardening/1.8_install_updates.sh
View File

@ -18,9 +18,9 @@ HARDENING_LEVEL=3
DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Checking if apt needs an update"
apt_update_if_needed
apt_update_if_needed
info "Fetching upgrades ..."
apt_check_updates "CIS_APT"
if [ $FNRET -gt 0 ]; then
@ -33,8 +33,8 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET -gt 0 ]; then
apply() {
if [ $FNRET -gt 0 ]; then
info "Applying Upgrades..."
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
else
@ -50,18 +50,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.1.1_disable_xinetd.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure xinetd is not enabled."
PACKAGE='xinetd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed"
@ -30,7 +30,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging"
@ -48,18 +48,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.1.2_disable_bsd_inetd.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure bsd-inetd is not enabled."
PACKAGES='openbsd-inetd inetutils-inetd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -32,7 +32,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -52,18 +52,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

16
bin/hardening/2.2.1.1_use_time_sync.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure time synchronization is in use"
PACKAGES="ntp chrony"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
FOUND=false
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
@ -29,13 +29,13 @@ audit () {
FOUND=true
fi
done
if [ "$FOUND" = false ]; then
if [ "$FOUND" = false ]; then
crit "None of the following time sync packages are installed: $PACKAGES"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
:
}
@ -46,22 +46,20 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

60
bin/hardening/2.2.1.2_configure_ntp.sh
View File

@ -26,7 +26,7 @@ NTP_INIT_PATTERN='RUNASUSER=ntp'
NTP_INIT_FILE='/etc/init.d/ntp'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
@ -48,31 +48,31 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
info "Checking $PACKAGE configuration"
fi
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
if [ "$FNRET" != 0 ]; then
warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file $NTP_CONF_FILE
add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery"
else
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi
does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
backup_file $NTP_INIT_FILE
add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID"
else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
info "Checking $PACKAGE configuration"
fi
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
if [ "$FNRET" != 0 ]; then
warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file $NTP_CONF_FILE
add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery"
else
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi
does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
backup_file $NTP_INIT_FILE
add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID"
else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi
}
# This function will check config parameters required
@ -82,18 +82,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.2.1.3_configure_chrony.sh
View File

@ -24,7 +24,7 @@ CONF_DEFAULT_PATTERN='^(server|pool)'
CONF_FILE='/etc/chrony/chrony.conf'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
@ -40,7 +40,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
:
}
@ -51,18 +51,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.2.10_disable_http_server.sh
View File

@ -23,7 +23,7 @@ HARDENING_EXCEPTION=http
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -35,7 +35,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -55,18 +55,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.2.11_disable_imap_pop.sh
View File

@ -23,7 +23,7 @@ HARDENING_EXCEPTION=mail
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -35,7 +35,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -55,18 +55,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.2.12_disable_samba.sh
View File

@ -23,7 +23,7 @@ PACKAGES='samba'
SERVICE='smbd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -41,7 +41,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -68,18 +68,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.2.13_disable_http_proxy.sh
View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=http
PACKAGES='squid3 squid'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -54,18 +54,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.2.14_disable_snmp_server.sh
View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=snmp
PACKAGES='snmpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -54,18 +54,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

16
bin/hardening/2.2.15_mta_localhost.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode."
HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Checking netport ports opened"
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
@ -29,7 +29,7 @@ audit () {
ok "Nothing listens on 25 port, probably unix socket configured"
else
info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<< $RESULT); then
if $(grep -q "127.0.0.1" <<<$RESULT); then
ok "MTA is configured to localhost only"
else
crit "MTA listens worldwide"
@ -38,7 +38,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Checking netport ports opened"
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
@ -47,7 +47,7 @@ apply () {
ok "Nothing listens on 25 port, probably unix socket configured"
else
info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<< $RESULT); then
if $(grep -q "127.0.0.1" <<<$RESULT); then
ok "MTA is configured to localhost only"
else
warn "MTA listens worldwide, correct this considering your MTA"
@ -63,18 +63,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.2.16_disable_rsync.sh
View File

@ -25,7 +25,7 @@ RSYNC_DEFAULT_FILE='/etc/default/rsync'
RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed"
@ -41,7 +41,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed"
@ -65,18 +65,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

14
bin/hardening/2.2.18_disable_telnet_server.sh
View File

@ -25,7 +25,7 @@ FILE='/etc/inetd.conf'
PATTERN='^telnet'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -48,7 +48,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -67,7 +67,7 @@ apply () {
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
@ -83,18 +83,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.2.2_disable_xwindow_system.sh
View File

@ -23,7 +23,7 @@ HARDENING_EXCEPTION=x11
PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -35,7 +35,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -55,18 +55,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.2.3_disable_avahi_server.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure Avahi server is not enabled."
PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -32,7 +32,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -52,18 +52,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.2.4_disable_print_server.sh
View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=cups
PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -54,18 +54,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.2.5_disable_dhcp.sh
View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=dhcp
PACKAGES='udhcpd isc-dhcp-server'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -54,18 +54,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.2.6_disable_ldap.sh
View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=ldap
PACKAGES='slapd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -54,18 +54,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.2.7_disable_nfs_rpc.sh
View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=nfs
PACKAGES='rpcbind nfs-kernel-server'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -54,18 +54,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.2.8_disable_dns_server.sh
View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=dns
PACKAGES='bind9 unbound'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -54,18 +54,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.2.9_disable_ftp.sh
View File

@ -23,7 +23,7 @@ HARDENING_EXCEPTION=ftp
PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -35,7 +35,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -55,18 +55,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.3.1_disable_nis.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure that Network Information Service is not installed. Recommend
PACKAGE='nis'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
@ -31,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
@ -49,18 +49,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

16
bin/hardening/2.3.2_disable_rsh_client.sh
View File

@ -21,8 +21,8 @@ DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh."
PACKAGES='rsh-client rsh-redone-client heimdal-clients'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed"
@ -33,8 +33,8 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging"
@ -53,18 +53,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.3.3_disable_talk_client.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure talk client is not installed."
PACKAGES='talk inetutils-talk'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -32,7 +32,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -52,18 +52,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.3.4_disable_telnet_client.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure telnet client is not installed."
PACKAGES='telnet'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -32,7 +32,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -52,18 +52,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.3.5_disable_ldap_client.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure ldap client is not installed."
PACKAGES='ldap-utils'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -32,7 +32,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -52,18 +52,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

15
bin/hardening/3.1.1_disable_ip_forwarding.sh
View File

@ -1,6 +1,5 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
@ -23,7 +22,7 @@ SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding'
SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_PARAM in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
@ -40,13 +39,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_PARAM in $SYSCTL_PARAMS; do
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -62,18 +61,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

14
bin/hardening/3.1.2_disable_send_packet_redirects.sh
View File

@ -22,7 +22,7 @@ DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption.
SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -39,7 +39,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -48,7 +48,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -64,18 +64,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

14
bin/hardening/3.2.1_disable_source_routed_packets.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable source routed packet acceptance."
SYSCTL_PARAMS=''
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
@ -40,7 +40,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -49,7 +49,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

16
bin/hardening/3.2.2_disable_icmp_redirect.sh
View File

@ -20,14 +20,14 @@ DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruptio
SYSCTL_PARAMS=''
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
@ -41,7 +41,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -50,7 +50,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -74,18 +74,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

14
bin/hardening/3.2.3_disable_secure_icmp_redirect.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable secure ICMP redirect acceptance to prevent routing tables c
SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

14
bin/hardening/3.2.4_log_martian_packets.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Log suspicious packets, like spoofed packets."
SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

14
bin/hardening/3.2.5_ignore_broadcast_requests.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ignore broadcast requests to prevent attacks such as Smurf attack."
SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

16
bin/hardening/3.2.6_enable_bad_error_message_protection.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Enable bad error message protection to prevent logfiles fillup."
SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -62,20 +62,20 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi
fi

14
bin/hardening/3.2.7_enable_source_route_validation.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Enable RFC-recommended source route validation."
SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

14
bin/hardening/3.2.8_enable_tcp_syn_cookies.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Enable TCP-SYN cookie to prevent TCP-SYN flood attack."
SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

14
bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable IPv6 router advertisements."
SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled"
@ -42,7 +42,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled"
@ -55,7 +55,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -72,18 +72,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

26
bin/hardening/3.3.1_install_tcp_wrapper.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Install TCP wrappers for simple access list management and standard
PACKAGE='tcpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
@ -30,14 +30,14 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
}
# This function will check config parameters required
@ -47,18 +47,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/3.3.2_hosts_allow.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Create /etc/hosts.allow ."
FILE='/etc/hosts.allow'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
@ -30,7 +30,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it"
@ -48,18 +48,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/3.3.3_hosts_deny.sh
View File

@ -21,7 +21,7 @@ FILE='/etc/hosts.deny'
PATTERN='ALL: ALL'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
@ -37,7 +37,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it"
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/3.3.4_hosts_allow_permissions.sh
View File

@ -23,7 +23,7 @@ USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
@ -39,7 +39,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
@ -56,18 +56,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/3.3.5_hosts_deny_permissions.sh
View File

@ -23,7 +23,7 @@ USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
@ -39,7 +39,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
@ -56,18 +56,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/3.4.1_disable_dccp.sh
View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=2
DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -34,18 +34,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/3.4.2_disable_sctp.sh
View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=2
DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -34,18 +34,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/3.4.3_disable_rds.sh
View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=2
DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -34,18 +34,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/3.4.4_disable_tipc.sh
View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=2
DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -34,18 +34,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh
View File

@ -22,12 +22,12 @@ FW_CHAINS="INPUT FORWARD"
FW_POLICY="DROP"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true )
ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true)
if [[ -z $ipt ]]; then
crit "Empty return from $PACKAGE command. Aborting..."
return
@ -50,7 +50,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
:
}
@ -61,12 +61,12 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi

28
bin/hardening/3.5_enable_firewall.sh
View File

@ -17,13 +17,13 @@ HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)."
# Quick note here : CIS recommends your iptables rules to be persistent.
# Quick note here : CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this
PACKAGE='iptables'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
@ -33,14 +33,14 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
}
# This function will check config parameters required
@ -50,18 +50,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

18
bin/hardening/3.6_disable_wireless.sh
View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Deactivate wireless interfaces."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -34,14 +34,14 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
## Source Root Dir Parameter
#if [ ! -r /etc/default/cis-hardening ]; then
# echo "There is no /etc/default/cis-hardening file, cannot source CIS_ROOT_DIR variable, aborting"
@ -53,11 +53,11 @@ fi
# echo "No CIS_ROOT_DIR variable, aborting"
# exit 128
# fi
#fi
#fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/3.7_disable_ipv6.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable IPv6."
SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled"
@ -42,7 +42,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled"
@ -72,18 +72,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/4.1.1.1_audit_log_storage.sh
View File

@ -22,7 +22,7 @@ PATTERN='max_log_file'
VALUE=5
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
@ -38,7 +38,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it"
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

34
bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
View File

@ -21,29 +21,29 @@ FILE='/etc/audit/auditd.conf'
OPTIONS=''
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
ok "$FILE exists, checking configuration"
for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
ok "$PATTERN is present in $FILE"
fi
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
ok "$PATTERN is present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it"
@ -79,7 +79,7 @@ check_config() {
}
create_config() {
cat << EOF
cat <<EOF
# shellcheck disable=2034
status=audit
# Put here the conf for auditd
@ -89,18 +89,18 @@ EOF
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

34
bin/hardening/4.1.1.3_keep_all_audit_logs.sh
View File

@ -21,29 +21,29 @@ FILE='/etc/audit/auditd.conf'
OPTIONS='max_log_file_action=keep_logs'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
else
ok "$FILE exists, checking configuration"
for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
ok "$PATTERN is present in $FILE"
fi
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE"
else
ok "$PATTERN is present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it"
@ -61,7 +61,7 @@ apply () {
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
if [ "$FNRET" != 0 ]; then
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
else
info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
@ -80,18 +80,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/4.1.10_record_dac_edit.sh
View File

@ -26,7 +26,7 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>
FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
@ -46,7 +46,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
@ -68,18 +68,18 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

Some files were not shown because too many files have changed in this diff Show More