mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-21 13:07:01 +01:00
IMP(shfmt): add shell formatter
This commit is contained in:
Thibault Ayanides
parent
bc1aa65b91
commit
3a342b784a
1
.gitignore
vendored
1
.gitignore
vendored
@ -0,0 +1 @@
|
||||
tmp/shfmt
|
||||
142
bin/hardening.sh
142
bin/hardening.sh
@ -28,7 +28,7 @@ SUDO_MODE=''
|
||||
BATCH_MODE=''
|
||||
|
||||
usage() {
|
||||
cat << EOF
|
||||
cat <<EOF
|
||||
$LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
|
||||
|
||||
--help -h
|
||||
@ -117,48 +117,48 @@ declare -a TEST_LIST ALLOWED_SERVICES_LIST
|
||||
while [[ $# > 0 ]]; do
|
||||
ARG="$1"
|
||||
case $ARG in
|
||||
--audit)
|
||||
AUDIT=1
|
||||
--audit)
|
||||
AUDIT=1
|
||||
;;
|
||||
--audit-all)
|
||||
AUDIT_ALL=1
|
||||
--audit-all)
|
||||
AUDIT_ALL=1
|
||||
;;
|
||||
--audit-all-enable-passed)
|
||||
AUDIT_ALL_ENABLE_PASSED=1
|
||||
--audit-all-enable-passed)
|
||||
AUDIT_ALL_ENABLE_PASSED=1
|
||||
;;
|
||||
--apply)
|
||||
APPLY=1
|
||||
--apply)
|
||||
APPLY=1
|
||||
;;
|
||||
--allow-service-list)
|
||||
ALLOW_SERVICE_LIST=1
|
||||
--allow-service-list)
|
||||
ALLOW_SERVICE_LIST=1
|
||||
;;
|
||||
--create-config-files-only)
|
||||
CREATE_CONFIG=1
|
||||
--create-config-files-only)
|
||||
CREATE_CONFIG=1
|
||||
;;
|
||||
--allow-service)
|
||||
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
|
||||
shift
|
||||
--allow-service)
|
||||
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
|
||||
shift
|
||||
;;
|
||||
--set-hardening-level)
|
||||
SET_HARDENING_LEVEL="$2"
|
||||
shift
|
||||
--set-hardening-level)
|
||||
SET_HARDENING_LEVEL="$2"
|
||||
shift
|
||||
;;
|
||||
--only)
|
||||
TEST_LIST[${#TEST_LIST[@]}]="$2"
|
||||
shift
|
||||
--only)
|
||||
TEST_LIST[${#TEST_LIST[@]}]="$2"
|
||||
shift
|
||||
;;
|
||||
--sudo)
|
||||
SUDO_MODE='--sudo'
|
||||
--sudo)
|
||||
SUDO_MODE='--sudo'
|
||||
;;
|
||||
--batch)
|
||||
BATCH_MODE='--batch'
|
||||
LOGLEVEL=ok
|
||||
--batch)
|
||||
BATCH_MODE='--batch'
|
||||
LOGLEVEL=ok
|
||||
;;
|
||||
-h|--help)
|
||||
usage
|
||||
-h | --help)
|
||||
usage
|
||||
;;
|
||||
*)
|
||||
usage
|
||||
*)
|
||||
usage
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
@ -174,20 +174,20 @@ if [ -r /etc/default/cis-hardening ]; then
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
|
||||
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
|
||||
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
|
||||
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
||||
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
|
||||
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
||||
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
|
||||
|
||||
if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
|
||||
|
||||
# If --allow-service-list is specified, don't run anything, just list the supported services
|
||||
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
|
||||
if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
|
||||
declare -a HARDENING_EXCEPTIONS_LIST
|
||||
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
|
||||
@ -198,8 +198,8 @@ if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
|
||||
fi
|
||||
|
||||
# If --set-hardening-level is specified, don't run anything, just apply config for each script
|
||||
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
|
||||
if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then
|
||||
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ]; then
|
||||
if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then
|
||||
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
|
||||
exit 1
|
||||
fi
|
||||
@ -207,7 +207,7 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
|
||||
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
|
||||
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
|
||||
if [ -z "$script_level" ] ; then
|
||||
if [ -z "$script_level" ]; then
|
||||
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
|
||||
continue
|
||||
fi
|
||||
@ -226,11 +226,11 @@ fi
|
||||
|
||||
# Parse every scripts and execute them in the required mode
|
||||
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||
if [ ${#TEST_LIST[@]} -gt 0 ] ; then
|
||||
if [ ${#TEST_LIST[@]} -gt 0 ]; then
|
||||
# --only X has been specified at least once, is this script in my list ?
|
||||
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
|
||||
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
|
||||
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
|
||||
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename $SCRIPT)")
|
||||
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
|
||||
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
|
||||
# not in the list
|
||||
continue
|
||||
fi
|
||||
@ -258,30 +258,30 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||
|
||||
debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
|
||||
case $SCRIPT_EXITCODE in
|
||||
0)
|
||||
debug "$SCRIPT passed"
|
||||
PASSED_CHECKS=$((PASSED_CHECKS+1))
|
||||
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then
|
||||
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
|
||||
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
|
||||
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
|
||||
fi
|
||||
0)
|
||||
debug "$SCRIPT passed"
|
||||
PASSED_CHECKS=$((PASSED_CHECKS + 1))
|
||||
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
|
||||
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
|
||||
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
|
||||
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
|
||||
fi
|
||||
;;
|
||||
1)
|
||||
debug "$SCRIPT failed"
|
||||
FAILED_CHECKS=$((FAILED_CHECKS+1))
|
||||
1)
|
||||
debug "$SCRIPT failed"
|
||||
FAILED_CHECKS=$((FAILED_CHECKS + 1))
|
||||
;;
|
||||
2)
|
||||
debug "$SCRIPT is disabled"
|
||||
DISABLED_CHECKS=$((DISABLED_CHECKS+1))
|
||||
2)
|
||||
debug "$SCRIPT is disabled"
|
||||
DISABLED_CHECKS=$((DISABLED_CHECKS + 1))
|
||||
;;
|
||||
esac
|
||||
|
||||
TOTAL_CHECKS=$((TOTAL_CHECKS+1))
|
||||
TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
|
||||
|
||||
done
|
||||
|
||||
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
|
||||
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS))
|
||||
|
||||
if [ $BATCH_MODE ]; then
|
||||
BATCH_SUMMARY="AUDIT_SUMMARY "
|
||||
@ -289,7 +289,7 @@ if [ $BATCH_MODE ]; then
|
||||
BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
|
||||
BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
|
||||
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
|
||||
CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
|
||||
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
|
||||
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
|
||||
else
|
||||
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
|
||||
@ -297,17 +297,17 @@ if [ $BATCH_MODE ]; then
|
||||
becho $BATCH_SUMMARY
|
||||
else
|
||||
printf "%40s\n" "################### SUMMARY ###################"
|
||||
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
|
||||
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
|
||||
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
|
||||
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
|
||||
|
||||
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<< "scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
|
||||
CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
|
||||
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
|
||||
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
|
||||
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
|
||||
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
|
||||
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
|
||||
|
||||
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
|
||||
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
|
||||
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
|
||||
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
|
||||
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
|
||||
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
|
||||
else
|
||||
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
|
||||
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of freevxfs filesystems."
|
||||
KERNEL_OPTION="CONFIG_VXFS_FS"
|
||||
MODULE_NAME="freevxfs"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
@ -32,7 +31,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
@ -48,18 +47,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of jffs2 filesystems."
|
||||
KERNEL_OPTION="CONFIG_JFFS2_FS"
|
||||
MODULE_NAME="jffs2"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
@ -32,7 +31,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
@ -48,18 +47,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of hfs filesystems."
|
||||
KERNEL_OPTION="CONFIG_HFS_FS"
|
||||
MODULE_FILE="hfs"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
@ -32,7 +31,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
@ -48,18 +47,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of hfsplus filesystems."
|
||||
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
|
||||
MODULE_FILE="hfsplus"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
@ -32,7 +31,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
@ -48,18 +47,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of udf filesystems."
|
||||
KERNEL_OPTION="CONFIG_UDF_FS"
|
||||
MODULE_FILE="udf"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
@ -32,7 +31,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
@ -48,18 +47,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of cramfs filesystems."
|
||||
KERNEL_OPTION="CONFIG_CRAMFS"
|
||||
MODULE_NAME="cramfs"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
@ -33,7 +32,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
@ -50,18 +49,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of squashfs filesytems."
|
||||
KERNEL_OPTION="CONFIG_SQUASHFS"
|
||||
MODULE_FILE="squashfs"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
@ -33,7 +32,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||
@ -50,18 +49,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ PARTITION="/var/tmp"
|
||||
OPTION="noexec"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
@ -40,16 +40,16 @@ audit () {
|
||||
has_mounted_option "$PARTITION" "$OPTION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
FNRET=3
|
||||
else
|
||||
ok "$PARTITION mounted with $OPTION"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
@ -62,7 +62,7 @@ apply () {
|
||||
elif [ "$FNRET" = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition "$PARTITION"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -73,18 +73,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -21,7 +21,7 @@ DESCRIPTION="/var/log on separate partition."
|
||||
PARTITION="/var/log"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
@ -41,7 +41,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
@ -60,18 +60,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="/var/log/audit on a separate partition."
|
||||
PARTITION="/var/log/audit"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
@ -40,7 +40,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
@ -59,18 +59,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -21,7 +21,7 @@ DESCRIPTION="/home on a separate partition."
|
||||
PARTITION="/home"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
@ -41,7 +41,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
@ -60,18 +60,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ PARTITION="/home"
|
||||
OPTION="nodev"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
@ -49,7 +49,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
@ -73,18 +73,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ PARTITION="/run/shm"
|
||||
OPTION="nodev"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
PARTITION=$(readlink -e "$PARTITION")
|
||||
FNRET=0
|
||||
@ -50,7 +50,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
@ -74,12 +74,12 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
|
||||
@ -22,7 +22,7 @@ PARTITION="/run/shm"
|
||||
OPTION="nosuid"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
PARTITION=$(readlink -e "$PARTITION")
|
||||
FNRET=0
|
||||
@ -50,7 +50,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
@ -74,12 +74,12 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
|
||||
@ -22,7 +22,7 @@ PARTITION="/run/shm"
|
||||
OPTION="noexec"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
PARTITION=$(readlink -e "$PARTITION")
|
||||
FNRET=0
|
||||
@ -50,7 +50,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
@ -74,12 +74,12 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
|
||||
@ -24,7 +24,7 @@ PARTITION="/media\S*"
|
||||
OPTION="nodev"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying if there is $PARTITION like partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
@ -44,7 +44,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 1 ]; then
|
||||
@ -61,18 +61,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -24,7 +24,7 @@ PARTITION="/media\S*"
|
||||
OPTION="nosuid"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying if there is $PARTITION like partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
@ -44,7 +44,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 1 ]; then
|
||||
@ -61,18 +61,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -24,7 +24,7 @@ PARTITION="/media\S*"
|
||||
OPTION="noexec"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying if there is $PARTITION like partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
@ -44,7 +44,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 1 ]; then
|
||||
@ -61,18 +61,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -18,13 +18,13 @@ HARDENING_LEVEL=2
|
||||
DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Checking if setuid is set on world writable Directories"
|
||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
|
||||
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some world writable directories are not on sticky bit mode!"
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
|
||||
crit "$FORMATTED_RESULT"
|
||||
else
|
||||
ok "All world writable directories have a sticky bit"
|
||||
@ -32,7 +32,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
|
||||
@ -49,18 +49,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Disable automounting of devices."
|
||||
SERVICE_NAME="autofs"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Checking if $SERVICE_NAME is enabled"
|
||||
is_service_enabled "$SERVICE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -31,12 +31,12 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
info "Checking if $SERVICE_NAME is enabled"
|
||||
is_service_enabled "$SERVICE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
info "Disabling $SERVICE_NAME"
|
||||
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
|
||||
update-rc.d $SERVICE_NAME remove >/dev/null 2>&1
|
||||
else
|
||||
ok "$SERVICE_NAME is disabled"
|
||||
fi
|
||||
@ -49,18 +49,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -21,7 +21,7 @@ DESCRIPTION="Ensure /tmp is configured (Scored)"
|
||||
PARTITION="/tmp"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
@ -41,7 +41,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
@ -60,18 +60,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ PARTITION="/tmp"
|
||||
OPTION="nodev"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
@ -40,16 +40,16 @@ audit () {
|
||||
has_mounted_option "$PARTITION" "$OPTION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
FNRET=3
|
||||
else
|
||||
ok "$PARTITION mounted with $OPTION"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
@ -62,7 +62,7 @@ apply () {
|
||||
elif [ "$FNRET" = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition "$PARTITION"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -73,18 +73,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ PARTITION="/tmp"
|
||||
OPTION="nosuid"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
@ -49,7 +49,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
@ -73,18 +73,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ PARTITION="/tmp"
|
||||
OPTION="noexec"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
@ -49,7 +49,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
@ -73,18 +73,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -21,7 +21,7 @@ DESCRIPTION="/var on a separate partition."
|
||||
PARTITION="/var"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
@ -38,12 +38,12 @@ audit () {
|
||||
ok "$PARTITION is mounted"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
@ -62,18 +62,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -21,7 +21,7 @@ DESCRIPTION="/var/tmp on a separate partition."
|
||||
PARTITION="/var/tmp"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
@ -38,12 +38,12 @@ audit () {
|
||||
ok "$PARTITION is mounted"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
@ -62,18 +62,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ PARTITION="/var/tmp"
|
||||
OPTION="nodev"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
@ -40,16 +40,16 @@ audit () {
|
||||
has_mounted_option "$PARTITION" "$OPTION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
FNRET=3
|
||||
else
|
||||
ok "$PARTITION mounted with $OPTION"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
@ -62,7 +62,7 @@ apply () {
|
||||
elif [ "$FNRET" = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition "$PARTITION"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -73,18 +73,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ PARTITION="/var/tmp"
|
||||
OPTION="nosuid"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Verifying that $PARTITION is a partition"
|
||||
FNRET=0
|
||||
is_a_partition "$PARTITION"
|
||||
@ -40,16 +40,16 @@ audit () {
|
||||
has_mounted_option "$PARTITION" "$OPTION"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
warn "$PARTITION is not mounted with $OPTION at runtime"
|
||||
FNRET=3
|
||||
FNRET=3
|
||||
else
|
||||
ok "$PARTITION mounted with $OPTION"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PARTITION is correctly set"
|
||||
elif [ "$FNRET" = 2 ]; then
|
||||
@ -62,7 +62,7 @@ apply () {
|
||||
elif [ "$FNRET" = 3 ]; then
|
||||
info "Remounting $PARTITION from fstab"
|
||||
remount_partition "$PARTITION"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -73,18 +73,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -25,24 +25,24 @@ GROUP='root'
|
||||
PERMISSIONS='400'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
fi
|
||||
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
@ -87,18 +87,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ USER_PATTERN="^set superusers"
|
||||
PWD_PATTERN="^password_pbkdf2"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
does_pattern_exist_in_file $FILE "$USER_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$USER_PATTERN not present in $FILE"
|
||||
@ -38,7 +38,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_pattern_exist_in_file $FILE "$USER_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$USER_PATTERN not present in $FILE, please configure password for grub"
|
||||
@ -69,18 +69,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -21,7 +21,7 @@ FILE="/etc/shadow"
|
||||
PATTERN="^root:[*\!]:"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
does_pattern_exist_in_file $FILE $PATTERN
|
||||
if [ "$FNRET" != 1 ]; then
|
||||
crit "$PATTERN is present in $FILE"
|
||||
@ -31,7 +31,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_pattern_exist_in_file $FILE $PATTERN
|
||||
if [ "$FNRET" != 1 ]; then
|
||||
warn "$PATTERN is present in $FILE, please put a root password"
|
||||
@ -48,18 +48,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -24,7 +24,7 @@ SYSCTL_PARAM='fs.suid_dumpable'
|
||||
SYSCTL_EXP_RESULT=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
SEARCH_RES=0
|
||||
LIMIT_FILES=""
|
||||
if $SUDO_CMD [ -d $LIMIT_DIR ]; then
|
||||
@ -57,7 +57,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
|
||||
@ -73,7 +73,7 @@ apply () {
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
|
||||
fi
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
@ -84,18 +84,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -34,7 +34,7 @@ nx_supported_and_enabled() {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
does_pattern_exist_in_dmesg $PATTERN
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
nx_supported_and_enabled
|
||||
@ -49,7 +49,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_pattern_exist_in_dmesg $PATTERN
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
nx_supported_and_enabled
|
||||
@ -70,18 +70,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -21,7 +21,7 @@ SYSCTL_PARAM='kernel.randomize_va_space'
|
||||
SYSCTL_EXP_RESULT=2
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||
@ -33,7 +33,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||
@ -52,18 +52,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Disable prelink to prevent libraries compromission."
|
||||
PACKAGE='prelink'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
@ -31,7 +31,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
@ -51,18 +51,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Activate AppArmor to enforce permissions control."
|
||||
PACKAGE='apparmor'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is absent!"
|
||||
@ -30,7 +30,7 @@ audit () {
|
||||
|
||||
ERROR=0
|
||||
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
|
||||
|
||||
|
||||
# define custom IFS and save default one
|
||||
d_IFS=$IFS
|
||||
c_IFS=$'\n'
|
||||
@ -44,12 +44,12 @@ audit () {
|
||||
IFS=$d_IFS
|
||||
if [ $ERROR = 0 ]; then
|
||||
ok "$PACKAGE is configured"
|
||||
|
||||
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
|
||||
@ -59,7 +59,7 @@ apply () {
|
||||
|
||||
ERROR=0
|
||||
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
|
||||
|
||||
|
||||
# define custom IFS and save default one
|
||||
d_IFS=$IFS
|
||||
c_IFS=$'\n'
|
||||
@ -71,7 +71,7 @@ apply () {
|
||||
fi
|
||||
done
|
||||
IFS=$d_IFS
|
||||
|
||||
|
||||
if [ $ERROR = 1 ]; then
|
||||
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
|
||||
$SUDO_CMD update-grub
|
||||
@ -87,18 +87,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -21,7 +21,7 @@ FILE='/etc/motd'
|
||||
PATTERN='(\\v|\\r|\\m|\\s)'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PATTERN is present in $FILE"
|
||||
@ -31,7 +31,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PATTERN is present in $FILE"
|
||||
@ -48,18 +48,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -21,7 +21,7 @@ FILE='/etc/issue'
|
||||
PATTERN='(\\v|\\r|\\m|\\s)'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PATTERN is present in $FILE"
|
||||
@ -31,7 +31,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PATTERN is present in $FILE"
|
||||
@ -48,18 +48,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -21,7 +21,7 @@ FILE='/etc/issue.net'
|
||||
PATTERN='(\\v|\\r|\\m|\\s)'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PATTERN is present in $FILE"
|
||||
@ -31,7 +31,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PATTERN is present in $FILE"
|
||||
@ -48,18 +48,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -23,7 +23,7 @@ GROUP='root'
|
||||
FILE='/etc/motd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
does_file_exist $FILE
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
@ -44,7 +44,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_file_exist $FILE
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
@ -73,18 +73,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -23,7 +23,7 @@ GROUP='root'
|
||||
FILE='/etc/issue'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
does_file_exist $FILE
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
@ -44,7 +44,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_file_exist $FILE
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
@ -73,18 +73,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -23,7 +23,7 @@ GROUP='root'
|
||||
FILE='/etc/issue.net'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
does_file_exist $FILE
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
@ -44,7 +44,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_file_exist $FILE
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
@ -73,18 +73,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Set graphical warning banner."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
@ -34,18 +34,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -18,9 +18,9 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Checking if apt needs an update"
|
||||
apt_update_if_needed
|
||||
apt_update_if_needed
|
||||
info "Fetching upgrades ..."
|
||||
apt_check_updates "CIS_APT"
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
@ -33,8 +33,8 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
apply() {
|
||||
if [ $FNRET -gt 0 ]; then
|
||||
info "Applying Upgrades..."
|
||||
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
|
||||
else
|
||||
@ -50,18 +50,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Ensure xinetd is not enabled."
|
||||
PACKAGE='xinetd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed"
|
||||
@ -30,7 +30,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PACKAGE is installed, purging"
|
||||
@ -48,18 +48,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Ensure bsd-inetd is not enabled."
|
||||
PACKAGES='openbsd-inetd inetutils-inetd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -32,7 +32,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -52,18 +52,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Ensure time synchronization is in use"
|
||||
PACKAGES="ntp chrony"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
FOUND=false
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
@ -29,13 +29,13 @@ audit () {
|
||||
FOUND=true
|
||||
fi
|
||||
done
|
||||
if [ "$FOUND" = false ]; then
|
||||
if [ "$FOUND" = false ]; then
|
||||
crit "None of the following time sync packages are installed: $PACKAGES"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
@ -46,22 +46,20 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
|
||||
|
||||
@ -26,7 +26,7 @@ NTP_INIT_PATTERN='RUNASUSER=ntp'
|
||||
NTP_INIT_FILE='/etc/init.d/ntp'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
@ -48,31 +48,31 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
info "Checking $PACKAGE configuration"
|
||||
fi
|
||||
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
|
||||
backup_file $NTP_CONF_FILE
|
||||
add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery"
|
||||
else
|
||||
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
|
||||
fi
|
||||
does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
|
||||
backup_file $NTP_INIT_FILE
|
||||
add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID"
|
||||
else
|
||||
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
|
||||
fi
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
info "Checking $PACKAGE configuration"
|
||||
fi
|
||||
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
|
||||
backup_file $NTP_CONF_FILE
|
||||
add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery"
|
||||
else
|
||||
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
|
||||
fi
|
||||
does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
|
||||
backup_file $NTP_INIT_FILE
|
||||
add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID"
|
||||
else
|
||||
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -82,18 +82,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -24,7 +24,7 @@ CONF_DEFAULT_PATTERN='^(server|pool)'
|
||||
CONF_FILE='/etc/chrony/chrony.conf'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
@ -40,7 +40,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
@ -51,18 +51,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -23,7 +23,7 @@ HARDENING_EXCEPTION=http
|
||||
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -35,7 +35,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -55,18 +55,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -23,7 +23,7 @@ HARDENING_EXCEPTION=mail
|
||||
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -35,7 +35,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -55,18 +55,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -23,7 +23,7 @@ PACKAGES='samba'
|
||||
SERVICE='smbd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -41,7 +41,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -68,18 +68,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ HARDENING_EXCEPTION=http
|
||||
PACKAGES='squid3 squid'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -34,7 +34,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -54,18 +54,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ HARDENING_EXCEPTION=snmp
|
||||
PACKAGES='snmpd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -34,7 +34,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -54,18 +54,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode."
|
||||
HARDENING_EXCEPTION=mail
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Checking netport ports opened"
|
||||
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
|
||||
RESULT=${RESULT:-}
|
||||
@ -29,7 +29,7 @@ audit () {
|
||||
ok "Nothing listens on 25 port, probably unix socket configured"
|
||||
else
|
||||
info "Checking $RESULT"
|
||||
if $(grep -q "127.0.0.1" <<< $RESULT); then
|
||||
if $(grep -q "127.0.0.1" <<<$RESULT); then
|
||||
ok "MTA is configured to localhost only"
|
||||
else
|
||||
crit "MTA listens worldwide"
|
||||
@ -38,7 +38,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
info "Checking netport ports opened"
|
||||
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
|
||||
RESULT=${RESULT:-}
|
||||
@ -47,7 +47,7 @@ apply () {
|
||||
ok "Nothing listens on 25 port, probably unix socket configured"
|
||||
else
|
||||
info "Checking $RESULT"
|
||||
if $(grep -q "127.0.0.1" <<< $RESULT); then
|
||||
if $(grep -q "127.0.0.1" <<<$RESULT); then
|
||||
ok "MTA is configured to localhost only"
|
||||
else
|
||||
warn "MTA listens worldwide, correct this considering your MTA"
|
||||
@ -63,18 +63,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -25,7 +25,7 @@ RSYNC_DEFAULT_FILE='/etc/default/rsync'
|
||||
RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "$PACKAGE is not installed"
|
||||
@ -41,7 +41,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "$PACKAGE is not installed"
|
||||
@ -65,18 +65,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -25,7 +25,7 @@ FILE='/etc/inetd.conf'
|
||||
PATTERN='^telnet'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -48,7 +48,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -67,7 +67,7 @@ apply () {
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PATTERN is present in $FILE, purging it"
|
||||
backup_file $FILE
|
||||
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
||||
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN)
|
||||
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
@ -83,18 +83,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -23,7 +23,7 @@ HARDENING_EXCEPTION=x11
|
||||
PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -35,7 +35,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -55,18 +55,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Ensure Avahi server is not enabled."
|
||||
PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -32,7 +32,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -52,18 +52,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ HARDENING_EXCEPTION=cups
|
||||
PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -34,7 +34,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -54,18 +54,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ HARDENING_EXCEPTION=dhcp
|
||||
PACKAGES='udhcpd isc-dhcp-server'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -34,7 +34,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -54,18 +54,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ HARDENING_EXCEPTION=ldap
|
||||
PACKAGES='slapd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -34,7 +34,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -54,18 +54,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ HARDENING_EXCEPTION=nfs
|
||||
PACKAGES='rpcbind nfs-kernel-server'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -34,7 +34,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -54,18 +54,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ HARDENING_EXCEPTION=dns
|
||||
PACKAGES='bind9 unbound'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -34,7 +34,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -54,18 +54,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -23,7 +23,7 @@ HARDENING_EXCEPTION=ftp
|
||||
PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -35,7 +35,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -55,18 +55,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Ensure that Network Information Service is not installed. Recommend
|
||||
PACKAGE='nis'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed!"
|
||||
@ -31,7 +31,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed, purging it"
|
||||
@ -49,18 +49,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -21,8 +21,8 @@ DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh."
|
||||
PACKAGES='rsh-client rsh-redone-client heimdal-clients'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
crit "$PACKAGE is installed"
|
||||
@ -33,8 +33,8 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
warn "$PACKAGE is installed, purging"
|
||||
@ -53,18 +53,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Ensure talk client is not installed."
|
||||
PACKAGES='talk inetutils-talk'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -32,7 +32,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -52,18 +52,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Ensure telnet client is not installed."
|
||||
PACKAGES='telnet'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -32,7 +32,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -52,18 +52,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Ensure ldap client is not installed."
|
||||
PACKAGES='ldap-utils'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -32,7 +32,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for PACKAGE in $PACKAGES; do
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
@ -52,18 +52,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -1,6 +1,5 @@
|
||||
#!/bin/bash
|
||||
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
@ -23,7 +22,7 @@ SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding'
|
||||
SYSCTL_EXP_RESULT=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for SYSCTL_PARAM in $SYSCTL_PARAMS; do
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
|
||||
@ -40,13 +39,13 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for SYSCTL_PARAM in $SYSCTL_PARAMS; do
|
||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
||||
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
@ -62,18 +61,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption.
|
||||
SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
@ -39,7 +39,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
@ -48,7 +48,7 @@ apply () {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
||||
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
@ -64,18 +64,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Disable source routed packet acceptance."
|
||||
SYSCTL_PARAMS=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
|
||||
@ -40,7 +40,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
@ -49,7 +49,7 @@ apply () {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
||||
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
@ -73,18 +73,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,14 +20,14 @@ DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruptio
|
||||
SYSCTL_PARAMS=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
|
||||
|
||||
|
||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||
@ -41,7 +41,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
@ -50,7 +50,7 @@ apply () {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
||||
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
@ -74,18 +74,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Disable secure ICMP redirect acceptance to prevent routing tables c
|
||||
SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
@ -37,7 +37,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
@ -46,7 +46,7 @@ apply () {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
||||
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
@ -62,18 +62,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Log suspicious packets, like spoofed packets."
|
||||
SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
@ -37,7 +37,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
@ -46,7 +46,7 @@ apply () {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
||||
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
@ -62,18 +62,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Ignore broadcast requests to prevent attacks such as Smurf attack."
|
||||
SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
@ -37,7 +37,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
@ -46,7 +46,7 @@ apply () {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
||||
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
@ -62,18 +62,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Enable bad error message protection to prevent logfiles fillup."
|
||||
SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
@ -37,7 +37,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
@ -46,7 +46,7 @@ apply () {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
||||
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
@ -62,20 +62,20 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Enable RFC-recommended source route validation."
|
||||
SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
@ -37,7 +37,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
@ -46,7 +46,7 @@ apply () {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
||||
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
@ -62,18 +62,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Enable TCP-SYN cookie to prevent TCP-SYN flood attack."
|
||||
SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
@ -37,7 +37,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||
@ -46,7 +46,7 @@ apply () {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
||||
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
@ -62,18 +62,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Disable IPv6 router advertisements."
|
||||
SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "ipv6 is disabled"
|
||||
@ -42,7 +42,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "ipv6 is disabled"
|
||||
@ -55,7 +55,7 @@ apply () {
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
|
||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
||||
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||
elif [ "$FNRET" = 255 ]; then
|
||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||
else
|
||||
@ -72,18 +72,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Install TCP wrappers for simple access list management and standard
|
||||
PACKAGE='tcpd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
@ -30,14 +30,14 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
fi
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -47,18 +47,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Create /etc/hosts.allow ."
|
||||
FILE='/etc/hosts.allow'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
does_file_exist $FILE
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
@ -30,7 +30,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_file_exist $FILE
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$FILE does not exist, creating it"
|
||||
@ -48,18 +48,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -21,7 +21,7 @@ FILE='/etc/hosts.deny'
|
||||
PATTERN='ALL: ALL'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
does_file_exist $FILE
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
@ -37,7 +37,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_file_exist $FILE
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$FILE does not exist, creating it"
|
||||
@ -62,18 +62,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -23,7 +23,7 @@ USER='root'
|
||||
GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
@ -39,7 +39,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
@ -56,18 +56,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -23,7 +23,7 @@ USER='root'
|
||||
GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
@ -39,7 +39,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
@ -56,18 +56,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -18,12 +18,12 @@ HARDENING_LEVEL=2
|
||||
DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
@ -34,18 +34,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -18,12 +18,12 @@ HARDENING_LEVEL=2
|
||||
DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
@ -34,18 +34,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -18,12 +18,12 @@ HARDENING_LEVEL=2
|
||||
DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
@ -34,18 +34,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -18,12 +18,12 @@ HARDENING_LEVEL=2
|
||||
DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
@ -34,18 +34,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,12 +22,12 @@ FW_CHAINS="INPUT FORWARD"
|
||||
FW_POLICY="DROP"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true )
|
||||
ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true)
|
||||
if [[ -z $ipt ]]; then
|
||||
crit "Empty return from $PACKAGE command. Aborting..."
|
||||
return
|
||||
@ -50,7 +50,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
@ -61,12 +61,12 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
|
||||
@ -17,13 +17,13 @@ HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)."
|
||||
|
||||
# Quick note here : CIS recommends your iptables rules to be persistent.
|
||||
# Quick note here : CIS recommends your iptables rules to be persistent.
|
||||
# Do as you want, but this script does not handle this
|
||||
|
||||
PACKAGE='iptables'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
@ -33,14 +33,14 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
fi
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -50,18 +50,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Deactivate wireless interfaces."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
@ -34,14 +34,14 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
## Source Root Dir Parameter
|
||||
#if [ ! -r /etc/default/cis-hardening ]; then
|
||||
# echo "There is no /etc/default/cis-hardening file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
@ -53,11 +53,11 @@ fi
|
||||
# echo "No CIS_ROOT_DIR variable, aborting"
|
||||
# exit 128
|
||||
# fi
|
||||
#fi
|
||||
#fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -20,7 +20,7 @@ DESCRIPTION="Disable IPv6."
|
||||
SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "ipv6 is disabled"
|
||||
@ -42,7 +42,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_sysctl_param_exists "net.ipv6"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
ok "ipv6 is disabled"
|
||||
@ -72,18 +72,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -22,7 +22,7 @@ PATTERN='max_log_file'
|
||||
VALUE=5
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
does_file_exist $FILE
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
@ -38,7 +38,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_file_exist $FILE
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$FILE does not exist, creating it"
|
||||
@ -62,18 +62,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -21,29 +21,29 @@ FILE='/etc/audit/auditd.conf'
|
||||
OPTIONS=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
does_file_exist $FILE
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
else
|
||||
ok "$FILE exists, checking configuration"
|
||||
for AUDIT_OPTION in $OPTIONS; do
|
||||
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
|
||||
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
|
||||
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
|
||||
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PATTERN is not present in $FILE"
|
||||
else
|
||||
ok "$PATTERN is present in $FILE"
|
||||
fi
|
||||
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
|
||||
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
|
||||
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
|
||||
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PATTERN is not present in $FILE"
|
||||
else
|
||||
ok "$PATTERN is present in $FILE"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_file_exist $FILE
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$FILE does not exist, creating it"
|
||||
@ -79,7 +79,7 @@ check_config() {
|
||||
}
|
||||
|
||||
create_config() {
|
||||
cat << EOF
|
||||
cat <<EOF
|
||||
# shellcheck disable=2034
|
||||
status=audit
|
||||
# Put here the conf for auditd
|
||||
@ -89,18 +89,18 @@ EOF
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -21,29 +21,29 @@ FILE='/etc/audit/auditd.conf'
|
||||
OPTIONS='max_log_file_action=keep_logs'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
does_file_exist $FILE
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
else
|
||||
ok "$FILE exists, checking configuration"
|
||||
for AUDIT_OPTION in $OPTIONS; do
|
||||
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
|
||||
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
|
||||
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
|
||||
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PATTERN is not present in $FILE"
|
||||
else
|
||||
ok "$PATTERN is present in $FILE"
|
||||
fi
|
||||
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
|
||||
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
|
||||
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
|
||||
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PATTERN is not present in $FILE"
|
||||
else
|
||||
ok "$PATTERN is present in $FILE"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
does_file_exist $FILE
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
warn "$FILE does not exist, creating it"
|
||||
@ -61,7 +61,7 @@ apply () {
|
||||
warn "$PATTERN is not present in $FILE, adding it"
|
||||
does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
|
||||
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
|
||||
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
|
||||
else
|
||||
info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
|
||||
@ -80,18 +80,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
@ -26,7 +26,7 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>
|
||||
FILE='/etc/audit/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
# define custom IFS and save default one
|
||||
d_IFS=$IFS
|
||||
c_IFS=$'\n'
|
||||
@ -46,7 +46,7 @@ audit () {
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
IFS=$'\n'
|
||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||
debug "$AUDIT_VALUE should be in file $FILE"
|
||||
@ -68,18 +68,18 @@ check_config() {
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user