From 3a342b784a9dd2eeedd28977840b710f6aa96027 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Fri, 4 Dec 2020 14:08:01 +0100 Subject: [PATCH] IMP(shfmt): add shell formatter --- .gitignore | 1 + bin/hardening.sh | 142 +++++++++--------- bin/hardening/1.1.1.1_disable_freevxfs.sh | 13 +- bin/hardening/1.1.1.2_disable_jffs2.sh | 13 +- bin/hardening/1.1.1.3_disable_hfs.sh | 13 +- bin/hardening/1.1.1.4_disable_hfsplus.sh | 13 +- bin/hardening/1.1.1.5_disable_udf.sh | 13 +- bin/hardening/1.1.1.6_disable_cramfs.sh | 13 +- bin/hardening/1.1.1.7_disable_squashfs.sh | 13 +- bin/hardening/1.1.10_var_tmp_noexec.sh | 18 +-- bin/hardening/1.1.11_var_log_partition.sh | 12 +- .../1.1.12_var_log_audit_partition.sh | 12 +- bin/hardening/1.1.13_home_partition.sh | 12 +- bin/hardening/1.1.14_home_nodev.sh | 12 +- bin/hardening/1.1.15_run_shm_nodev.sh | 10 +- bin/hardening/1.1.16_run_shm_nosuid.sh | 10 +- bin/hardening/1.1.17_run_shm_noexec.sh | 10 +- .../1.1.18_removable_device_nodev.sh | 12 +- .../1.1.19_removable_device_nosuid.sh | 12 +- .../1.1.20_removable_device_noexec.sh | 12 +- ...1.1.21_sticky_bit_world_writable_folder.sh | 18 +-- bin/hardening/1.1.22_disable_automounting.sh | 14 +- bin/hardening/1.1.2_tmp_partition.sh | 12 +- bin/hardening/1.1.3_tmp_nodev.sh | 18 +-- bin/hardening/1.1.4_tmp_nosuid.sh | 12 +- bin/hardening/1.1.5_tmp_noexec.sh | 12 +- bin/hardening/1.1.6_var_partition.sh | 14 +- bin/hardening/1.1.7_var_tmp_partition.sh | 14 +- bin/hardening/1.1.8_var_tmp_nodev.sh | 18 +-- bin/hardening/1.1.9_var_tmp_nosuid.sh | 18 +-- bin/hardening/1.4.1_bootloader_ownership.sh | 16 +- bin/hardening/1.4.2_bootloader_password.sh | 12 +- bin/hardening/1.4.3_root_password.sh | 12 +- bin/hardening/1.5.1_restrict_core_dumps.sh | 14 +- bin/hardening/1.5.2_enable_nx_support.sh | 12 +- .../1.5.3_enable_randomized_vm_placement.sh | 12 +- bin/hardening/1.5.4_disable_prelink.sh | 12 +- bin/hardening/1.6.2.1_enable_apparmor.sh | 20 +-- bin/hardening/1.7.1.1_remove_os_info_motd.sh | 12 +- bin/hardening/1.7.1.2_remove_os_info_issue.sh | 12 +- .../1.7.1.3_remove_os_info_issue_net.sh | 12 +- bin/hardening/1.7.1.4_motd_perms.sh | 12 +- bin/hardening/1.7.1.5_etc_issue_perms.sh | 12 +- bin/hardening/1.7.1.6_etc_issue_net_perms.sh | 12 +- .../1.7.2_graphical_warning_banners.sh | 12 +- bin/hardening/1.8_install_updates.sh | 16 +- bin/hardening/2.1.1_disable_xinetd.sh | 12 +- bin/hardening/2.1.2_disable_bsd_inetd.sh | 12 +- bin/hardening/2.2.1.1_use_time_sync.sh | 16 +- bin/hardening/2.2.1.2_configure_ntp.sh | 60 ++++---- bin/hardening/2.2.1.3_configure_chrony.sh | 12 +- bin/hardening/2.2.10_disable_http_server.sh | 12 +- bin/hardening/2.2.11_disable_imap_pop.sh | 12 +- bin/hardening/2.2.12_disable_samba.sh | 12 +- bin/hardening/2.2.13_disable_http_proxy.sh | 12 +- bin/hardening/2.2.14_disable_snmp_server.sh | 12 +- bin/hardening/2.2.15_mta_localhost.sh | 16 +- bin/hardening/2.2.16_disable_rsync.sh | 12 +- bin/hardening/2.2.18_disable_telnet_server.sh | 14 +- bin/hardening/2.2.2_disable_xwindow_system.sh | 12 +- bin/hardening/2.2.3_disable_avahi_server.sh | 12 +- bin/hardening/2.2.4_disable_print_server.sh | 12 +- bin/hardening/2.2.5_disable_dhcp.sh | 12 +- bin/hardening/2.2.6_disable_ldap.sh | 12 +- bin/hardening/2.2.7_disable_nfs_rpc.sh | 12 +- bin/hardening/2.2.8_disable_dns_server.sh | 12 +- bin/hardening/2.2.9_disable_ftp.sh | 12 +- bin/hardening/2.3.1_disable_nis.sh | 12 +- bin/hardening/2.3.2_disable_rsh_client.sh | 16 +- bin/hardening/2.3.3_disable_talk_client.sh | 12 +- bin/hardening/2.3.4_disable_telnet_client.sh | 12 +- bin/hardening/2.3.5_disable_ldap_client.sh | 12 +- bin/hardening/3.1.1_disable_ip_forwarding.sh | 15 +- .../3.1.2_disable_send_packet_redirects.sh | 14 +- .../3.2.1_disable_source_routed_packets.sh | 14 +- bin/hardening/3.2.2_disable_icmp_redirect.sh | 16 +- .../3.2.3_disable_secure_icmp_redirect.sh | 14 +- bin/hardening/3.2.4_log_martian_packets.sh | 14 +- .../3.2.5_ignore_broadcast_requests.sh | 14 +- ...2.6_enable_bad_error_message_protection.sh | 16 +- .../3.2.7_enable_source_route_validation.sh | 14 +- bin/hardening/3.2.8_enable_tcp_syn_cookies.sh | 14 +- ...3.2.9_disable_ipv6_router_advertisement.sh | 14 +- bin/hardening/3.3.1_install_tcp_wrapper.sh | 26 ++-- bin/hardening/3.3.2_hosts_allow.sh | 12 +- bin/hardening/3.3.3_hosts_deny.sh | 12 +- .../3.3.4_hosts_allow_permissions.sh | 12 +- bin/hardening/3.3.5_hosts_deny_permissions.sh | 12 +- bin/hardening/3.4.1_disable_dccp.sh | 12 +- bin/hardening/3.4.2_disable_sctp.sh | 12 +- bin/hardening/3.4.3_disable_rds.sh | 12 +- bin/hardening/3.4.4_disable_tipc.sh | 12 +- .../3.5.1.1_net_fw_default_policy_drop.sh | 12 +- bin/hardening/3.5_enable_firewall.sh | 28 ++-- bin/hardening/3.6_disable_wireless.sh | 18 +-- bin/hardening/3.7_disable_ipv6.sh | 12 +- bin/hardening/4.1.1.1_audit_log_storage.sh | 12 +- .../4.1.1.2_halt_when_audit_log_full.sh | 34 ++--- bin/hardening/4.1.1.3_keep_all_audit_logs.sh | 34 ++--- bin/hardening/4.1.10_record_dac_edit.sh | 12 +- .../4.1.11_record_failed_access_file.sh | 12 +- .../4.1.12_record_privileged_commands.sh | 12 +- .../4.1.13_record_successful_mount.sh | 12 +- bin/hardening/4.1.14_record_file_deletions.sh | 12 +- bin/hardening/4.1.15_record_sudoers_edit.sh | 12 +- bin/hardening/4.1.16_record_sudo_usage.sh | 12 +- bin/hardening/4.1.17_record_kernel_modules.sh | 12 +- bin/hardening/4.1.18_freeze_auditd_conf.sh | 12 +- bin/hardening/4.1.2_enable_auditd.sh | 42 +++--- bin/hardening/4.1.3_audit_bootloader.sh | 34 ++--- bin/hardening/4.1.4_record_date_time_edit.sh | 12 +- bin/hardening/4.1.5_record_user_group_edit.sh | 12 +- bin/hardening/4.1.6_record_network_edit.sh | 12 +- bin/hardening/4.1.7_record_mac_edit.sh | 12 +- bin/hardening/4.1.8_record_login_logout.sh | 12 +- bin/hardening/4.1.9_record_session_init.sh | 12 +- bin/hardening/4.2.2.1_enable_syslog-ng.sh | 16 +- bin/hardening/4.2.2.2_configure_syslog-ng.sh | 12 +- .../4.2.2.3_syslog_ng_logfiles_perm.sh | 26 ++-- .../4.2.2.4_syslog-ng_remote_host.sh | 16 +- bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh | 12 +- bin/hardening/4.2.3_install_syslog-ng.sh | 26 ++-- bin/hardening/4.2.4_logs_permissions.sh | 24 ++- bin/hardening/4.3_configure_logrotate.sh | 12 +- bin/hardening/5.1.1_enable_cron.sh | 18 +-- bin/hardening/5.1.2_crontab_perm_ownership.sh | 14 +- .../5.1.3_cron_hourly_perm_ownership.sh | 14 +- .../5.1.4_cron_daily_perm_ownership.sh | 14 +- .../5.1.5_cron_weekly_perm_ownership.sh | 14 +- .../5.1.6_cron_monthly_perm_ownership.sh | 14 +- bin/hardening/5.1.7_cron_d_perm_ownership.sh | 14 +- bin/hardening/5.1.8_cron_users.sh | 14 +- bin/hardening/5.2.10_disable_root_login.sh | 44 +++--- ....2.11_disable_sshd_permitemptypasswords.sh | 44 +++--- bin/hardening/5.2.12_disable_sshd_setenv.sh | 44 +++--- bin/hardening/5.2.13_sshd_ciphers.sh | 44 +++--- bin/hardening/5.2.14_ssh_cry_mac.sh | 40 ++--- bin/hardening/5.2.15_ssh_cry_kex.sh | 41 +++-- bin/hardening/5.2.16_sshd_idle_timeout.sh | 42 +++--- bin/hardening/5.2.17_sshd_login_grace_time.sh | 42 +++--- bin/hardening/5.2.18_sshd_limit_access.sh | 46 +++--- bin/hardening/5.2.19_ssh_banner.sh | 40 ++--- .../5.2.1_sshd_conf_perm_ownership.sh | 14 +- ....2_ssh_host_private_keys_perm_ownership.sh | 33 ++-- ...2.3_ssh_host_public_keys_perm_ownership.sh | 34 ++--- bin/hardening/5.2.4_sshd_protocol.sh | 44 +++--- bin/hardening/5.2.5_sshd_loglevel.sh | 42 +++--- bin/hardening/5.2.6_disable_x11_forwarding.sh | 44 +++--- bin/hardening/5.2.7_sshd_maxauthtries.sh | 44 +++--- .../5.2.8_enable_sshd_ignorerhosts.sh | 44 +++--- ....9_disable_sshd_hostbasedauthentication.sh | 44 +++--- bin/hardening/5.3.1_enable_pwquality.sh | 16 +- .../5.3.2_enable_lockout_failed_password.sh | 12 +- bin/hardening/5.3.3_limit_password_reuse.sh | 14 +- bin/hardening/5.3.4_acc_pam_sha512.sh | 17 +-- .../5.4.1.1_set_password_exp_days.sh | 42 +++--- .../5.4.1.2_set_password_min_days_change.sh | 42 +++--- .../5.4.1.3_set_password_exp_warning_days.sh | 42 +++--- .../5.4.1.4_lock_inactive_user_account.sh | 12 +- .../5.4.2_disable_system_accounts.sh | 28 ++-- bin/hardening/5.4.3_default_root_group.sh | 12 +- bin/hardening/5.4.4_default_umask.sh | 12 +- bin/hardening/5.5_secure_tty.sh | 12 +- bin/hardening/5.6_restrict_su.sh | 14 +- .../6.1.10_find_world_writable_file.sh | 20 +-- bin/hardening/6.1.11_find_unowned_files.sh | 20 +-- bin/hardening/6.1.12_find_ungrouped_files.sh | 20 +-- bin/hardening/6.1.13_find_suid_files.sh | 20 +-- bin/hardening/6.1.14_find_sgid_files.sh | 20 +-- bin/hardening/6.1.5_etc_passwd_permissions.sh | 12 +- bin/hardening/6.1.6_etc_shadow_permissions.sh | 12 +- bin/hardening/6.1.7_etc_group_permissions.sh | 12 +- .../6.2.10_check_user_dot_file_perm.sh | 18 +-- .../6.2.11_find_user_forward_files.sh | 18 +-- bin/hardening/6.2.12_find_user_netrc_files.sh | 18 +-- .../6.2.13_set_perm_on_user_netrc.sh | 18 +-- .../6.2.14_find_user_rhosts_files.sh | 18 +-- ....2.15_find_passwd_group_inconsistencies.sh | 18 +-- bin/hardening/6.2.16_check_duplicate_uid.sh | 18 +-- bin/hardening/6.2.17_check_duplicate_gid.sh | 18 +-- .../6.2.18_check_duplicate_username.sh | 26 ++-- .../6.2.19_check_duplicate_groupname.sh | 26 ++-- .../6.2.1_remove_empty_password_field.sh | 13 +- bin/hardening/6.2.20_shadow_group_empty.sh | 12 +- .../6.2.2_remove_legacy_passwd_entries.sh | 12 +- .../6.2.3_remove_legacy_shadow_entries.sh | 12 +- .../6.2.4_remove_legacy_group_entries.sh | 12 +- .../6.2.5_find_0_uid_non_root_account.sh | 16 +- bin/hardening/6.2.6_sanitize_root_path.sh | 38 ++--- bin/hardening/6.2.7_users_valid_homedir.sh | 24 +-- bin/hardening/6.2.8_check_user_dir_perm.sh | 42 +++--- bin/hardening/6.2.9_users_valid_homedir.sh | 30 ++-- bin/hardening/8.0_enable_auditd_kernel.sh | 13 +- bin/hardening/8.3.1_install_tripwire.sh | 28 ++-- bin/hardening/8.3.2_tripwire_cron.sh | 12 +- bin/hardening/99.1_timeout_tty.sh | 10 +- bin/hardening/99.2_disable_usb_devices.sh | 14 +- bin/hardening/99.3.1_acc_shadow_sha512.sh | 13 +- bin/hardening/99.3.2_acc_sudoers_no_all.sh | 20 +-- bin/hardening/99.3.4_acc_logindefs_sha512.sh | 15 +- bin/hardening/99.5.1_ssh_auth_pubk_only.sh | 40 ++--- bin/hardening/99.5.2.3_ssh_cry_rekey.sh | 42 +++--- bin/hardening/99.5.3_ssh_disable_features.sh | 40 ++--- bin/hardening/99.5.4_ssh_keys_from.sh | 43 +++--- bin/hardening/99.5.5_ssh_strict_modes.sh | 40 ++--- bin/hardening/99.5.6_ssh_sys_accept_env.sh | 14 +- bin/hardening/99.5.7_ssh_sys_no_legacy.sh | 13 +- bin/hardening/99.5.8_ssh_sys_sandbox.sh | 41 +++-- bin/hardening/99.5.9_ssh_loglevel.sh | 40 ++--- lib/common.sh | 58 ++++--- lib/constants.sh | 10 +- lib/main.sh | 95 ++++++------ lib/shellfmt/launch_shellfmt.sh | 23 +++ lib/utils.sh | 80 +++++----- shellcheck/docker_build_and_run_shellcheck.sh | 1 - shellcheck/launch_shellcheck.sh | 2 +- tests/docker_build_and_run_tests.sh | 9 +- tests/hardening/1.1.1.1_disable_freevxfs.sh | 12 +- tests/hardening/1.1.1.2_disable_jffs2.sh | 10 +- tests/hardening/1.1.1.3_disable_hfs.sh | 10 +- tests/hardening/1.1.1.4_disable_hfsplus.sh | 10 +- tests/hardening/1.1.1.5_disable_udf.sh | 11 +- tests/hardening/1.1.1.6_disable_cramfs.sh | 10 +- tests/hardening/1.1.1.7_disable_squashfs.sh | 11 +- ...1.1.21_sticky_bit_world_writable_folder.sh | 12 +- tests/hardening/1.5.1_restrict_core_dumps.sh | 10 +- tests/hardening/1.6.2.1_enable_apparmor.sh | 2 +- tests/hardening/2.2.1.1_use_time_sync.sh | 1 - .../hardening/3.1.1_disable_ip_forwarding.sh | 2 +- .../4.1.1.2_halt_when_audit_log_full.sh | 2 +- .../4.1.11_record_failed_access_file.sh | 2 - .../4.1.12_record_privileged_commands.sh | 1 - tests/hardening/4.1.15_record_sudoers_edit.sh | 4 +- .../hardening/4.1.5_record_user_group_edit.sh | 2 +- tests/hardening/4.1.8_record_login_logout.sh | 1 - .../4.2.2.4_syslog-ng_remote_host.sh | 10 +- .../hardening/5.1.2_crontab_perm_ownership.sh | 4 +- .../5.1.3_cron_hourly_perm_ownership.sh | 4 +- .../5.1.4_cron_daily_perm_ownership.sh | 4 +- .../5.1.5_cron_weekly_perm_ownership.sh | 4 +- .../5.1.6_cron_monthly_perm_ownership.sh | 4 +- .../hardening/5.1.7_cron_d_perm_ownership.sh | 4 +- tests/hardening/5.1.8_cron_users.sh | 6 +- tests/hardening/5.2.14_ssh_cry_mac.sh | 1 - tests/hardening/5.2.15_ssh_cry_kex.sh | 1 - .../5.2.1_sshd_conf_perm_ownership.sh | 4 +- ....2_ssh_host_private_keys_perm_ownership.sh | 4 +- ...2.3_ssh_host_public_keys_perm_ownership.sh | 4 +- tests/hardening/5.2.4_sshd_protocol.sh | 2 +- tests/hardening/5.2.5_sshd_loglevel.sh | 4 +- tests/hardening/5.2.7_sshd_maxauthtries.sh | 2 +- .../5.2.8_enable_sshd_ignorerhosts.sh | 2 +- tests/hardening/5.3.4_acc_pam_sha512.sh | 1 - .../5.4.2_disable_system_accounts.sh | 2 +- tests/hardening/5.4.4_default_umask.sh | 2 +- .../6.1.10_find_world_writable_file.sh | 7 +- tests/hardening/6.1.11_find_unowned_files.sh | 1 - .../hardening/6.1.12_find_ungrouped_files.sh | 3 +- tests/hardening/6.1.13_find_suid_files.sh | 3 +- tests/hardening/6.1.14_find_sgid_files.sh | 3 +- .../hardening/6.1.5_etc_passwd_permissions.sh | 4 +- .../hardening/6.1.6_etc_shadow_permissions.sh | 4 +- .../hardening/6.1.7_etc_group_permissions.sh | 4 +- .../6.2.10_check_user_dot_file_perm.sh | 4 +- .../6.2.11_find_user_forward_files.sh | 4 +- .../hardening/6.2.12_find_user_netrc_files.sh | 2 +- .../6.2.13_set_perm_on_user_netrc.sh | 4 +- .../6.2.14_find_user_rhosts_files.sh | 4 +- ....2.15_find_passwd_group_inconsistencies.sh | 4 +- tests/hardening/6.2.16_check_duplicate_uid.sh | 3 +- tests/hardening/6.2.17_check_duplicate_gid.sh | 1 - .../6.2.18_check_duplicate_username.sh | 4 +- .../6.2.19_check_duplicate_groupname.sh | 4 +- .../6.2.1_remove_empty_password_field.sh | 2 +- tests/hardening/6.2.20_shadow_group_empty.sh | 6 +- .../6.2.2_remove_legacy_passwd_entries.sh | 4 +- .../6.2.3_remove_legacy_shadow_entries.sh | 4 +- .../6.2.4_remove_legacy_group_entries.sh | 4 +- .../6.2.5_find_0_uid_non_root_account.sh | 3 +- tests/hardening/6.2.6_sanitize_root_path.sh | 2 +- tests/hardening/6.2.7_users_valid_homedir.sh | 2 +- tests/hardening/6.2.8_check_user_dir_perm.sh | 4 +- tests/hardening/6.2.9_users_valid_homedir.sh | 7 +- tests/hardening/99.1_timeout_tty.sh | 4 +- tests/hardening/99.2_disable_usb_devices.sh | 4 +- tests/hardening/99.3.1_acc_shadow_sha512.sh | 3 +- tests/hardening/99.3.2_acc_sudoers_no_all.sh | 8 +- .../hardening/99.3.4_acc_logindefs_sha512.sh | 1 - tests/hardening/99.5.1_ssh_auth_pubk_only.sh | 1 - tests/hardening/99.5.2.3_ssh_cry_rekey.sh | 1 - .../hardening/99.5.3_ssh_disable_features.sh | 1 - tests/hardening/99.5.4_ssh_keys_from.sh | 38 +++-- tests/hardening/99.5.5_ssh_strict_modes.sh | 1 - tests/hardening/99.5.6_ssh_sys_accept_env.sh | 2 - tests/hardening/99.5.7_ssh_sys_no_legacy.sh | 1 - tests/hardening/99.5.8_ssh_sys_sandbox.sh | 3 +- tests/hardening/99.5.9_ssh_loglevel.sh | 1 - tests/launch_tests.sh | 42 +++--- tests/lib.sh | 25 ++- tests/run_all_targets.sh | 27 ++-- 300 files changed, 2370 insertions(+), 2427 deletions(-) create mode 100755 lib/shellfmt/launch_shellfmt.sh diff --git a/.gitignore b/.gitignore index e69de29..41f6e54 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1 @@ +tmp/shfmt \ No newline at end of file diff --git a/bin/hardening.sh b/bin/hardening.sh index bd26917..2fb4339 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -28,7 +28,7 @@ SUDO_MODE='' BATCH_MODE='' usage() { - cat << EOF + cat < [OPTIONS], where RUN_MODE is one of: --help -h @@ -117,48 +117,48 @@ declare -a TEST_LIST ALLOWED_SERVICES_LIST while [[ $# > 0 ]]; do ARG="$1" case $ARG in - --audit) - AUDIT=1 + --audit) + AUDIT=1 ;; - --audit-all) - AUDIT_ALL=1 + --audit-all) + AUDIT_ALL=1 ;; - --audit-all-enable-passed) - AUDIT_ALL_ENABLE_PASSED=1 + --audit-all-enable-passed) + AUDIT_ALL_ENABLE_PASSED=1 ;; - --apply) - APPLY=1 + --apply) + APPLY=1 ;; - --allow-service-list) - ALLOW_SERVICE_LIST=1 + --allow-service-list) + ALLOW_SERVICE_LIST=1 ;; - --create-config-files-only) - CREATE_CONFIG=1 + --create-config-files-only) + CREATE_CONFIG=1 ;; - --allow-service) - ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2" - shift + --allow-service) + ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2" + shift ;; - --set-hardening-level) - SET_HARDENING_LEVEL="$2" - shift + --set-hardening-level) + SET_HARDENING_LEVEL="$2" + shift ;; - --only) - TEST_LIST[${#TEST_LIST[@]}]="$2" - shift + --only) + TEST_LIST[${#TEST_LIST[@]}]="$2" + shift ;; - --sudo) - SUDO_MODE='--sudo' + --sudo) + SUDO_MODE='--sudo' ;; - --batch) - BATCH_MODE='--batch' - LOGLEVEL=ok + --batch) + BATCH_MODE='--batch' + LOGLEVEL=ok ;; - -h|--help) - usage + -h | --help) + usage ;; - *) - usage + *) + usage ;; esac shift @@ -174,20 +174,20 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi -[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh +[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh [ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg -[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh -[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh +[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh +[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi # If --allow-service-list is specified, don't run anything, just list the supported services -if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then +if [ "$ALLOW_SERVICE_LIST" = 1 ]; then declare -a HARDENING_EXCEPTIONS_LIST for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2) @@ -198,8 +198,8 @@ if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then fi # If --set-hardening-level is specified, don't run anything, just apply config for each script -if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then - if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then +if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ]; then + if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5" exit 1 fi @@ -207,7 +207,7 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do SCRIPT_BASENAME=$(basename $SCRIPT .sh) script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2) - if [ -z "$script_level" ] ; then + if [ -z "$script_level" ]; then echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it" continue fi @@ -226,11 +226,11 @@ fi # Parse every scripts and execute them in the required mode for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do - if [ ${#TEST_LIST[@]} -gt 0 ] ; then + if [ ${#TEST_LIST[@]} -gt 0 ]; then # --only X has been specified at least once, is this script in my list ? - SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)") - SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX") - if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then + SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename $SCRIPT)") + SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX") + if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then # not in the list continue fi @@ -258,30 +258,30 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE" case $SCRIPT_EXITCODE in - 0) - debug "$SCRIPT passed" - PASSED_CHECKS=$((PASSED_CHECKS+1)) - if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then - SCRIPT_BASENAME=$(basename $SCRIPT .sh) - sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg - info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg" - fi + 0) + debug "$SCRIPT passed" + PASSED_CHECKS=$((PASSED_CHECKS + 1)) + if [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then + SCRIPT_BASENAME=$(basename $SCRIPT .sh) + sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg + info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg" + fi ;; - 1) - debug "$SCRIPT failed" - FAILED_CHECKS=$((FAILED_CHECKS+1)) + 1) + debug "$SCRIPT failed" + FAILED_CHECKS=$((FAILED_CHECKS + 1)) ;; - 2) - debug "$SCRIPT is disabled" - DISABLED_CHECKS=$((DISABLED_CHECKS+1)) + 2) + debug "$SCRIPT is disabled" + DISABLED_CHECKS=$((DISABLED_CHECKS + 1)) ;; esac - TOTAL_CHECKS=$((TOTAL_CHECKS+1)) + TOTAL_CHECKS=$((TOTAL_CHECKS + 1)) done -TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS)) +TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS)) if [ $BATCH_MODE ]; then BATCH_SUMMARY="AUDIT_SUMMARY " @@ -289,7 +289,7 @@ if [ $BATCH_MODE ]; then BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} " BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}" if [ $TOTAL_TREATED_CHECKS != 0 ]; then - CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100") + CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100") BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")" else BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0 @@ -297,17 +297,17 @@ if [ $BATCH_MODE ]; then becho $BATCH_SUMMARY else printf "%40s\n" "################### SUMMARY ###################" - printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS" - printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS" - printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS" - printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS" - - ENABLED_CHECKS_PERCENTAGE=$(bc -l <<< "scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100") - CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100") - printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE" + printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS" + printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS" + printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS" + printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS" + + ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100") + CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100") + printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE" if [ $TOTAL_TREATED_CHECKS != 0 ]; then - printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE" + printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE" else - printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0 + printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0 fi fi diff --git a/bin/hardening/1.1.1.1_disable_freevxfs.sh b/bin/hardening/1.1.1.1_disable_freevxfs.sh index 8c5a18a..ed8b7e9 100755 --- a/bin/hardening/1.1.1.1_disable_freevxfs.sh +++ b/bin/hardening/1.1.1.1_disable_freevxfs.sh @@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of freevxfs filesystems." KERNEL_OPTION="CONFIG_VXFS_FS" MODULE_NAME="freevxfs" - # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" @@ -32,7 +31,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_kernel_option_enabled "$KERNEL_OPTION" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" @@ -48,18 +47,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.1.2_disable_jffs2.sh b/bin/hardening/1.1.1.2_disable_jffs2.sh index afd1cea..6d5f46d 100755 --- a/bin/hardening/1.1.1.2_disable_jffs2.sh +++ b/bin/hardening/1.1.1.2_disable_jffs2.sh @@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of jffs2 filesystems." KERNEL_OPTION="CONFIG_JFFS2_FS" MODULE_NAME="jffs2" - # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" @@ -32,7 +31,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_kernel_option_enabled "$KERNEL_OPTION" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" @@ -48,18 +47,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.1.3_disable_hfs.sh b/bin/hardening/1.1.1.3_disable_hfs.sh index 344de96..bdfd696 100755 --- a/bin/hardening/1.1.1.3_disable_hfs.sh +++ b/bin/hardening/1.1.1.3_disable_hfs.sh @@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of hfs filesystems." KERNEL_OPTION="CONFIG_HFS_FS" MODULE_FILE="hfs" - # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" @@ -32,7 +31,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_kernel_option_enabled "$KERNEL_OPTION" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" @@ -48,18 +47,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.1.4_disable_hfsplus.sh b/bin/hardening/1.1.1.4_disable_hfsplus.sh index 4b3ce21..615c14a 100755 --- a/bin/hardening/1.1.1.4_disable_hfsplus.sh +++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh @@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of hfsplus filesystems." KERNEL_OPTION="CONFIG_HFSPLUS_FS" MODULE_FILE="hfsplus" - # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" @@ -32,7 +31,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_kernel_option_enabled "$KERNEL_OPTION" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" @@ -48,18 +47,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.1.5_disable_udf.sh b/bin/hardening/1.1.1.5_disable_udf.sh index d281091..8273c6a 100755 --- a/bin/hardening/1.1.1.5_disable_udf.sh +++ b/bin/hardening/1.1.1.5_disable_udf.sh @@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of udf filesystems." KERNEL_OPTION="CONFIG_UDF_FS" MODULE_FILE="udf" - # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" @@ -32,7 +31,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_kernel_option_enabled "$KERNEL_OPTION" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" @@ -48,18 +47,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.1.6_disable_cramfs.sh b/bin/hardening/1.1.1.6_disable_cramfs.sh index 95bf7f8..ff4b309 100755 --- a/bin/hardening/1.1.1.6_disable_cramfs.sh +++ b/bin/hardening/1.1.1.6_disable_cramfs.sh @@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of cramfs filesystems." KERNEL_OPTION="CONFIG_CRAMFS" MODULE_NAME="cramfs" - # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" @@ -33,7 +32,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_kernel_option_enabled "$KERNEL_OPTION" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" @@ -50,18 +49,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.1.7_disable_squashfs.sh b/bin/hardening/1.1.1.7_disable_squashfs.sh index 25dec28..d9b8212 100755 --- a/bin/hardening/1.1.1.7_disable_squashfs.sh +++ b/bin/hardening/1.1.1.7_disable_squashfs.sh @@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of squashfs filesytems." KERNEL_OPTION="CONFIG_SQUASHFS" MODULE_FILE="squashfs" - # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$KERNEL_OPTION is enabled!" @@ -33,7 +32,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_kernel_option_enabled "$KERNEL_OPTION" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" @@ -50,18 +49,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.10_var_tmp_noexec.sh b/bin/hardening/1.1.10_var_tmp_noexec.sh index 14f4802..eb023c4 100755 --- a/bin/hardening/1.1.10_var_tmp_noexec.sh +++ b/bin/hardening/1.1.10_var_tmp_noexec.sh @@ -22,7 +22,7 @@ PARTITION="/var/tmp" OPTION="noexec" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" @@ -40,16 +40,16 @@ audit () { has_mounted_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=3 + FNRET=3 else ok "$PARTITION mounted with $OPTION" fi - fi + fi fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 2 ]; then @@ -62,7 +62,7 @@ apply () { elif [ "$FNRET" = 3 ]; then info "Remounting $PARTITION from fstab" remount_partition "$PARTITION" - fi + fi } # This function will check config parameters required @@ -73,18 +73,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.11_var_log_partition.sh b/bin/hardening/1.1.11_var_log_partition.sh index 13ed458..8e2a752 100755 --- a/bin/hardening/1.1.11_var_log_partition.sh +++ b/bin/hardening/1.1.11_var_log_partition.sh @@ -21,7 +21,7 @@ DESCRIPTION="/var/log on separate partition." PARTITION="/var/log" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" @@ -41,7 +41,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 2 ]; then @@ -60,18 +60,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.12_var_log_audit_partition.sh b/bin/hardening/1.1.12_var_log_audit_partition.sh index 04350d5..43c2d00 100755 --- a/bin/hardening/1.1.12_var_log_audit_partition.sh +++ b/bin/hardening/1.1.12_var_log_audit_partition.sh @@ -20,7 +20,7 @@ DESCRIPTION="/var/log/audit on a separate partition." PARTITION="/var/log/audit" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" @@ -40,7 +40,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 2 ]; then @@ -59,18 +59,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.13_home_partition.sh b/bin/hardening/1.1.13_home_partition.sh index 6936011..55e3453 100755 --- a/bin/hardening/1.1.13_home_partition.sh +++ b/bin/hardening/1.1.13_home_partition.sh @@ -21,7 +21,7 @@ DESCRIPTION="/home on a separate partition." PARTITION="/home" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" @@ -41,7 +41,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 2 ]; then @@ -60,18 +60,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.14_home_nodev.sh b/bin/hardening/1.1.14_home_nodev.sh index 23b4802..e2dfd09 100755 --- a/bin/hardening/1.1.14_home_nodev.sh +++ b/bin/hardening/1.1.14_home_nodev.sh @@ -22,7 +22,7 @@ PARTITION="/home" OPTION="nodev" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" @@ -49,7 +49,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 2 ]; then @@ -73,18 +73,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.15_run_shm_nodev.sh b/bin/hardening/1.1.15_run_shm_nodev.sh index fd33215..57697a9 100755 --- a/bin/hardening/1.1.15_run_shm_nodev.sh +++ b/bin/hardening/1.1.15_run_shm_nodev.sh @@ -22,7 +22,7 @@ PARTITION="/run/shm" OPTION="nodev" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying that $PARTITION is a partition" PARTITION=$(readlink -e "$PARTITION") FNRET=0 @@ -50,7 +50,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 2 ]; then @@ -74,12 +74,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/1.1.16_run_shm_nosuid.sh b/bin/hardening/1.1.16_run_shm_nosuid.sh index 3977a50..d92ab84 100755 --- a/bin/hardening/1.1.16_run_shm_nosuid.sh +++ b/bin/hardening/1.1.16_run_shm_nosuid.sh @@ -22,7 +22,7 @@ PARTITION="/run/shm" OPTION="nosuid" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying that $PARTITION is a partition" PARTITION=$(readlink -e "$PARTITION") FNRET=0 @@ -50,7 +50,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 2 ]; then @@ -74,12 +74,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/1.1.17_run_shm_noexec.sh b/bin/hardening/1.1.17_run_shm_noexec.sh index 61c866b..1631041 100755 --- a/bin/hardening/1.1.17_run_shm_noexec.sh +++ b/bin/hardening/1.1.17_run_shm_noexec.sh @@ -22,7 +22,7 @@ PARTITION="/run/shm" OPTION="noexec" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying that $PARTITION is a partition" PARTITION=$(readlink -e "$PARTITION") FNRET=0 @@ -50,7 +50,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 2 ]; then @@ -74,12 +74,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/1.1.18_removable_device_nodev.sh b/bin/hardening/1.1.18_removable_device_nodev.sh index 0f5ca0b..95cf314 100755 --- a/bin/hardening/1.1.18_removable_device_nodev.sh +++ b/bin/hardening/1.1.18_removable_device_nodev.sh @@ -24,7 +24,7 @@ PARTITION="/media\S*" OPTION="nodev" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying if there is $PARTITION like partition" FNRET=0 is_a_partition "$PARTITION" @@ -44,7 +44,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 1 ]; then @@ -61,18 +61,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.19_removable_device_nosuid.sh b/bin/hardening/1.1.19_removable_device_nosuid.sh index 56b9539..a4e372c 100755 --- a/bin/hardening/1.1.19_removable_device_nosuid.sh +++ b/bin/hardening/1.1.19_removable_device_nosuid.sh @@ -24,7 +24,7 @@ PARTITION="/media\S*" OPTION="nosuid" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying if there is $PARTITION like partition" FNRET=0 is_a_partition "$PARTITION" @@ -44,7 +44,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 1 ]; then @@ -61,18 +61,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.20_removable_device_noexec.sh b/bin/hardening/1.1.20_removable_device_noexec.sh index 94e34b3..1a7c8db 100755 --- a/bin/hardening/1.1.20_removable_device_noexec.sh +++ b/bin/hardening/1.1.20_removable_device_noexec.sh @@ -24,7 +24,7 @@ PARTITION="/media\S*" OPTION="noexec" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying if there is $PARTITION like partition" FNRET=0 is_a_partition "$PARTITION" @@ -44,7 +44,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 1 ]; then @@ -61,18 +61,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh index 63a2c0b..01411b2 100755 --- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh @@ -18,13 +18,13 @@ HARDENING_LEVEL=2 DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Checking if setuid is set on world writable Directories" - FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) - RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) + FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'}) + RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) if [ ! -z "$RESULT" ]; then crit "Some world writable directories are not on sticky bit mode!" - FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else ok "All world writable directories have a sticky bit" @@ -32,7 +32,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) if [ ! -z "$RESULT" ]; then df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t @@ -49,18 +49,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.22_disable_automounting.sh b/bin/hardening/1.1.22_disable_automounting.sh index 90bc774..fff3322 100755 --- a/bin/hardening/1.1.22_disable_automounting.sh +++ b/bin/hardening/1.1.22_disable_automounting.sh @@ -20,7 +20,7 @@ DESCRIPTION="Disable automounting of devices." SERVICE_NAME="autofs" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Checking if $SERVICE_NAME is enabled" is_service_enabled "$SERVICE_NAME" if [ "$FNRET" = 0 ]; then @@ -31,12 +31,12 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Checking if $SERVICE_NAME is enabled" is_service_enabled "$SERVICE_NAME" if [ "$FNRET" = 0 ]; then info "Disabling $SERVICE_NAME" - update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 + update-rc.d $SERVICE_NAME remove >/dev/null 2>&1 else ok "$SERVICE_NAME is disabled" fi @@ -49,18 +49,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.2_tmp_partition.sh b/bin/hardening/1.1.2_tmp_partition.sh index c6e5cd9..71172dc 100755 --- a/bin/hardening/1.1.2_tmp_partition.sh +++ b/bin/hardening/1.1.2_tmp_partition.sh @@ -21,7 +21,7 @@ DESCRIPTION="Ensure /tmp is configured (Scored)" PARTITION="/tmp" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" @@ -41,7 +41,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 2 ]; then @@ -60,18 +60,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.3_tmp_nodev.sh b/bin/hardening/1.1.3_tmp_nodev.sh index 2e0405e..176412e 100755 --- a/bin/hardening/1.1.3_tmp_nodev.sh +++ b/bin/hardening/1.1.3_tmp_nodev.sh @@ -22,7 +22,7 @@ PARTITION="/tmp" OPTION="nodev" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" @@ -40,16 +40,16 @@ audit () { has_mounted_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=3 + FNRET=3 else ok "$PARTITION mounted with $OPTION" fi - fi + fi fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 2 ]; then @@ -62,7 +62,7 @@ apply () { elif [ "$FNRET" = 3 ]; then info "Remounting $PARTITION from fstab" remount_partition "$PARTITION" - fi + fi } # This function will check config parameters required @@ -73,18 +73,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.4_tmp_nosuid.sh b/bin/hardening/1.1.4_tmp_nosuid.sh index 9475ad3..cfa608e 100755 --- a/bin/hardening/1.1.4_tmp_nosuid.sh +++ b/bin/hardening/1.1.4_tmp_nosuid.sh @@ -22,7 +22,7 @@ PARTITION="/tmp" OPTION="nosuid" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" @@ -49,7 +49,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 2 ]; then @@ -73,18 +73,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.5_tmp_noexec.sh b/bin/hardening/1.1.5_tmp_noexec.sh index 116e9ac..159a645 100755 --- a/bin/hardening/1.1.5_tmp_noexec.sh +++ b/bin/hardening/1.1.5_tmp_noexec.sh @@ -22,7 +22,7 @@ PARTITION="/tmp" OPTION="noexec" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" @@ -49,7 +49,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 2 ]; then @@ -73,18 +73,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.6_var_partition.sh b/bin/hardening/1.1.6_var_partition.sh index 53e824a..e415873 100755 --- a/bin/hardening/1.1.6_var_partition.sh +++ b/bin/hardening/1.1.6_var_partition.sh @@ -21,7 +21,7 @@ DESCRIPTION="/var on a separate partition." PARTITION="/var" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" @@ -38,12 +38,12 @@ audit () { ok "$PARTITION is mounted" fi fi - + : } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 2 ]; then @@ -62,18 +62,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.7_var_tmp_partition.sh b/bin/hardening/1.1.7_var_tmp_partition.sh index 4a8d9a1..fe2b9fe 100755 --- a/bin/hardening/1.1.7_var_tmp_partition.sh +++ b/bin/hardening/1.1.7_var_tmp_partition.sh @@ -21,7 +21,7 @@ DESCRIPTION="/var/tmp on a separate partition." PARTITION="/var/tmp" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" @@ -38,12 +38,12 @@ audit () { ok "$PARTITION is mounted" fi fi - + : } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 2 ]; then @@ -62,18 +62,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.8_var_tmp_nodev.sh b/bin/hardening/1.1.8_var_tmp_nodev.sh index ca73b85..5d6b191 100755 --- a/bin/hardening/1.1.8_var_tmp_nodev.sh +++ b/bin/hardening/1.1.8_var_tmp_nodev.sh @@ -22,7 +22,7 @@ PARTITION="/var/tmp" OPTION="nodev" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" @@ -40,16 +40,16 @@ audit () { has_mounted_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=3 + FNRET=3 else ok "$PARTITION mounted with $OPTION" fi - fi + fi fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 2 ]; then @@ -62,7 +62,7 @@ apply () { elif [ "$FNRET" = 3 ]; then info "Remounting $PARTITION from fstab" remount_partition "$PARTITION" - fi + fi } # This function will check config parameters required @@ -73,18 +73,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.1.9_var_tmp_nosuid.sh b/bin/hardening/1.1.9_var_tmp_nosuid.sh index 2244df9..fc746a5 100755 --- a/bin/hardening/1.1.9_var_tmp_nosuid.sh +++ b/bin/hardening/1.1.9_var_tmp_nosuid.sh @@ -22,7 +22,7 @@ PARTITION="/var/tmp" OPTION="nosuid" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Verifying that $PARTITION is a partition" FNRET=0 is_a_partition "$PARTITION" @@ -40,16 +40,16 @@ audit () { has_mounted_option "$PARTITION" "$OPTION" if [ $FNRET -gt 0 ]; then warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=3 + FNRET=3 else ok "$PARTITION mounted with $OPTION" fi - fi + fi fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ "$FNRET" = 0 ]; then ok "$PARTITION is correctly set" elif [ "$FNRET" = 2 ]; then @@ -62,7 +62,7 @@ apply () { elif [ "$FNRET" = 3 ]; then info "Remounting $PARTITION from fstab" remount_partition "$PARTITION" - fi + fi } # This function will check config parameters required @@ -73,18 +73,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.4.1_bootloader_ownership.sh b/bin/hardening/1.4.1_bootloader_ownership.sh index 8146fa8..ef6c136 100755 --- a/bin/hardening/1.4.1_bootloader_ownership.sh +++ b/bin/hardening/1.4.1_bootloader_ownership.sh @@ -25,24 +25,24 @@ GROUP='root' PERMISSIONS='400' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" - fi + fi has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" - fi + fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" @@ -87,18 +87,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.4.2_bootloader_password.sh b/bin/hardening/1.4.2_bootloader_password.sh index e23d68e..aad38dd 100755 --- a/bin/hardening/1.4.2_bootloader_password.sh +++ b/bin/hardening/1.4.2_bootloader_password.sh @@ -22,7 +22,7 @@ USER_PATTERN="^set superusers" PWD_PATTERN="^password_pbkdf2" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_pattern_exist_in_file $FILE "$USER_PATTERN" if [ "$FNRET" != 0 ]; then crit "$USER_PATTERN not present in $FILE" @@ -38,7 +38,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_pattern_exist_in_file $FILE "$USER_PATTERN" if [ "$FNRET" != 0 ]; then warn "$USER_PATTERN not present in $FILE, please configure password for grub" @@ -69,18 +69,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.4.3_root_password.sh b/bin/hardening/1.4.3_root_password.sh index acea244..d712e8f 100755 --- a/bin/hardening/1.4.3_root_password.sh +++ b/bin/hardening/1.4.3_root_password.sh @@ -21,7 +21,7 @@ FILE="/etc/shadow" PATTERN="^root:[*\!]:" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_pattern_exist_in_file $FILE $PATTERN if [ "$FNRET" != 1 ]; then crit "$PATTERN is present in $FILE" @@ -31,7 +31,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_pattern_exist_in_file $FILE $PATTERN if [ "$FNRET" != 1 ]; then warn "$PATTERN is present in $FILE, please put a root password" @@ -48,18 +48,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.5.1_restrict_core_dumps.sh b/bin/hardening/1.5.1_restrict_core_dumps.sh index 04f6fb9..030851d 100755 --- a/bin/hardening/1.5.1_restrict_core_dumps.sh +++ b/bin/hardening/1.5.1_restrict_core_dumps.sh @@ -24,7 +24,7 @@ SYSCTL_PARAM='fs.suid_dumpable' SYSCTL_EXP_RESULT=0 # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { SEARCH_RES=0 LIMIT_FILES="" if $SUDO_CMD [ -d $LIMIT_DIR ]; then @@ -57,7 +57,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN if [ "$FNRET" != 0 ]; then warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE" @@ -73,7 +73,7 @@ apply () { warn "$SYSCTL_PARAM does not exist -- Typo?" else ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" - fi + fi } @@ -84,18 +84,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.5.2_enable_nx_support.sh b/bin/hardening/1.5.2_enable_nx_support.sh index 24c30c7..be046b0 100755 --- a/bin/hardening/1.5.2_enable_nx_support.sh +++ b/bin/hardening/1.5.2_enable_nx_support.sh @@ -34,7 +34,7 @@ nx_supported_and_enabled() { } # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_pattern_exist_in_dmesg $PATTERN if [ "$FNRET" != 0 ]; then nx_supported_and_enabled @@ -49,7 +49,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_pattern_exist_in_dmesg $PATTERN if [ "$FNRET" != 0 ]; then nx_supported_and_enabled @@ -70,18 +70,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.5.3_enable_randomized_vm_placement.sh b/bin/hardening/1.5.3_enable_randomized_vm_placement.sh index dde8c8b..92c5eff 100755 --- a/bin/hardening/1.5.3_enable_randomized_vm_placement.sh +++ b/bin/hardening/1.5.3_enable_randomized_vm_placement.sh @@ -21,7 +21,7 @@ SYSCTL_PARAM='kernel.randomize_va_space' SYSCTL_EXP_RESULT=2 # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" @@ -33,7 +33,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" @@ -52,18 +52,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.5.4_disable_prelink.sh b/bin/hardening/1.5.4_disable_prelink.sh index a9c7a3f..b859c29 100755 --- a/bin/hardening/1.5.4_disable_prelink.sh +++ b/bin/hardening/1.5.4_disable_prelink.sh @@ -20,7 +20,7 @@ DESCRIPTION="Disable prelink to prevent libraries compromission." PACKAGE='prelink' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" @@ -31,7 +31,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" @@ -51,18 +51,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.6.2.1_enable_apparmor.sh b/bin/hardening/1.6.2.1_enable_apparmor.sh index cb3d906..023800d 100755 --- a/bin/hardening/1.6.2.1_enable_apparmor.sh +++ b/bin/hardening/1.6.2.1_enable_apparmor.sh @@ -20,7 +20,7 @@ DESCRIPTION="Activate AppArmor to enforce permissions control." PACKAGE='apparmor' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is absent!" @@ -30,7 +30,7 @@ audit () { ERROR=0 RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) - + # define custom IFS and save default one d_IFS=$IFS c_IFS=$'\n' @@ -44,12 +44,12 @@ audit () { IFS=$d_IFS if [ $ERROR = 0 ]; then ok "$PACKAGE is configured" - + fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed, please install $PACKAGE and configure it" @@ -59,7 +59,7 @@ apply () { ERROR=0 RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) - + # define custom IFS and save default one d_IFS=$IFS c_IFS=$'\n' @@ -71,7 +71,7 @@ apply () { fi done IFS=$d_IFS - + if [ $ERROR = 1 ]; then $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub $SUDO_CMD update-grub @@ -87,18 +87,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.7.1.1_remove_os_info_motd.sh b/bin/hardening/1.7.1.1_remove_os_info_motd.sh index a0267d2..29ee794 100755 --- a/bin/hardening/1.7.1.1_remove_os_info_motd.sh +++ b/bin/hardening/1.7.1.1_remove_os_info_motd.sh @@ -21,7 +21,7 @@ FILE='/etc/motd' PATTERN='(\\v|\\r|\\m|\\s)' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then crit "$PATTERN is present in $FILE" @@ -31,7 +31,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then warn "$PATTERN is present in $FILE" @@ -48,18 +48,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.7.1.2_remove_os_info_issue.sh b/bin/hardening/1.7.1.2_remove_os_info_issue.sh index 508fedc..2960586 100755 --- a/bin/hardening/1.7.1.2_remove_os_info_issue.sh +++ b/bin/hardening/1.7.1.2_remove_os_info_issue.sh @@ -21,7 +21,7 @@ FILE='/etc/issue' PATTERN='(\\v|\\r|\\m|\\s)' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then crit "$PATTERN is present in $FILE" @@ -31,7 +31,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then warn "$PATTERN is present in $FILE" @@ -48,18 +48,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh b/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh index 9dbcba6..7bc785c 100755 --- a/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh +++ b/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh @@ -21,7 +21,7 @@ FILE='/etc/issue.net' PATTERN='(\\v|\\r|\\m|\\s)' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then crit "$PATTERN is present in $FILE" @@ -31,7 +31,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then warn "$PATTERN is present in $FILE" @@ -48,18 +48,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.7.1.4_motd_perms.sh b/bin/hardening/1.7.1.4_motd_perms.sh index 7d9ed2b..9c2ffa0 100755 --- a/bin/hardening/1.7.1.4_motd_perms.sh +++ b/bin/hardening/1.7.1.4_motd_perms.sh @@ -23,7 +23,7 @@ GROUP='root' FILE='/etc/motd' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" @@ -44,7 +44,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then info "$FILE does not exist" @@ -73,18 +73,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.7.1.5_etc_issue_perms.sh b/bin/hardening/1.7.1.5_etc_issue_perms.sh index f487633..dacacc9 100755 --- a/bin/hardening/1.7.1.5_etc_issue_perms.sh +++ b/bin/hardening/1.7.1.5_etc_issue_perms.sh @@ -23,7 +23,7 @@ GROUP='root' FILE='/etc/issue' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" @@ -44,7 +44,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then info "$FILE does not exist" @@ -73,18 +73,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.7.1.6_etc_issue_net_perms.sh b/bin/hardening/1.7.1.6_etc_issue_net_perms.sh index 05e884a..3ffe232 100755 --- a/bin/hardening/1.7.1.6_etc_issue_net_perms.sh +++ b/bin/hardening/1.7.1.6_etc_issue_net_perms.sh @@ -23,7 +23,7 @@ GROUP='root' FILE='/etc/issue.net' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" @@ -44,7 +44,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then info "$FILE does not exist" @@ -73,18 +73,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.7.2_graphical_warning_banners.sh b/bin/hardening/1.7.2_graphical_warning_banners.sh index 9a10275..d5656a1 100755 --- a/bin/hardening/1.7.2_graphical_warning_banners.sh +++ b/bin/hardening/1.7.2_graphical_warning_banners.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Set graphical warning banner." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Not implemented yet" } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Not implemented yet" } @@ -34,18 +34,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/1.8_install_updates.sh b/bin/hardening/1.8_install_updates.sh index b505284..59d9e17 100755 --- a/bin/hardening/1.8_install_updates.sh +++ b/bin/hardening/1.8_install_updates.sh @@ -18,9 +18,9 @@ HARDENING_LEVEL=3 DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Checking if apt needs an update" - apt_update_if_needed + apt_update_if_needed info "Fetching upgrades ..." apt_check_updates "CIS_APT" if [ $FNRET -gt 0 ]; then @@ -33,8 +33,8 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { - if [ $FNRET -gt 0 ]; then +apply() { + if [ $FNRET -gt 0 ]; then info "Applying Upgrades..." DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y else @@ -50,18 +50,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.1.1_disable_xinetd.sh b/bin/hardening/2.1.1_disable_xinetd.sh index 760b72a..6273a70 100755 --- a/bin/hardening/2.1.1_disable_xinetd.sh +++ b/bin/hardening/2.1.1_disable_xinetd.sh @@ -20,7 +20,7 @@ DESCRIPTION="Ensure xinetd is not enabled." PACKAGE='xinetd' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed" @@ -30,7 +30,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then warn "$PACKAGE is installed, purging" @@ -48,18 +48,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.1.2_disable_bsd_inetd.sh b/bin/hardening/2.1.2_disable_bsd_inetd.sh index 2ae5469..3425e21 100755 --- a/bin/hardening/2.1.2_disable_bsd_inetd.sh +++ b/bin/hardening/2.1.2_disable_bsd_inetd.sh @@ -20,7 +20,7 @@ DESCRIPTION="Ensure bsd-inetd is not enabled." PACKAGES='openbsd-inetd inetutils-inetd' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -32,7 +32,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -52,18 +52,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.1.1_use_time_sync.sh b/bin/hardening/2.2.1.1_use_time_sync.sh index ffd33ab..2820d63 100755 --- a/bin/hardening/2.2.1.1_use_time_sync.sh +++ b/bin/hardening/2.2.1.1_use_time_sync.sh @@ -20,7 +20,7 @@ DESCRIPTION="Ensure time synchronization is in use" PACKAGES="ntp chrony" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { FOUND=false for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" @@ -29,13 +29,13 @@ audit () { FOUND=true fi done - if [ "$FOUND" = false ]; then + if [ "$FOUND" = false ]; then crit "None of the following time sync packages are installed: $PACKAGES" fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -46,22 +46,20 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi - # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 fi - diff --git a/bin/hardening/2.2.1.2_configure_ntp.sh b/bin/hardening/2.2.1.2_configure_ntp.sh index 69ab374..7e2b865 100755 --- a/bin/hardening/2.2.1.2_configure_ntp.sh +++ b/bin/hardening/2.2.1.2_configure_ntp.sh @@ -26,7 +26,7 @@ NTP_INIT_PATTERN='RUNASUSER=ntp' NTP_INIT_FILE='/etc/init.d/ntp' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -48,31 +48,31 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { - is_pkg_installed "$PACKAGE" - if [ "$FNRET" = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE - info "Checking $PACKAGE configuration" - fi - does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN - if [ "$FNRET" != 0 ]; then - warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it" - backup_file $NTP_CONF_FILE - add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery" - else - ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" - fi - does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" - if [ "$FNRET" != 0 ]; then - warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it" - backup_file $NTP_INIT_FILE - add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID" - else - ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE" - fi +apply() { + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + info "Checking $PACKAGE configuration" + fi + does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN + if [ "$FNRET" != 0 ]; then + warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it" + backup_file $NTP_CONF_FILE + add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery" + else + ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" + fi + does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" + if [ "$FNRET" != 0 ]; then + warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it" + backup_file $NTP_INIT_FILE + add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID" + else + ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE" + fi } # This function will check config parameters required @@ -82,18 +82,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.1.3_configure_chrony.sh b/bin/hardening/2.2.1.3_configure_chrony.sh index d1655a7..c5bc8ee 100755 --- a/bin/hardening/2.2.1.3_configure_chrony.sh +++ b/bin/hardening/2.2.1.3_configure_chrony.sh @@ -24,7 +24,7 @@ CONF_DEFAULT_PATTERN='^(server|pool)' CONF_FILE='/etc/chrony/chrony.conf' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -40,7 +40,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -51,18 +51,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.10_disable_http_server.sh b/bin/hardening/2.2.10_disable_http_server.sh index 317e9a0..6c15abe 100755 --- a/bin/hardening/2.2.10_disable_http_server.sh +++ b/bin/hardening/2.2.10_disable_http_server.sh @@ -23,7 +23,7 @@ HARDENING_EXCEPTION=http PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -35,7 +35,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -55,18 +55,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.11_disable_imap_pop.sh b/bin/hardening/2.2.11_disable_imap_pop.sh index 9fdde2f..f65df29 100755 --- a/bin/hardening/2.2.11_disable_imap_pop.sh +++ b/bin/hardening/2.2.11_disable_imap_pop.sh @@ -23,7 +23,7 @@ HARDENING_EXCEPTION=mail PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -35,7 +35,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -55,18 +55,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.12_disable_samba.sh b/bin/hardening/2.2.12_disable_samba.sh index b426d6a..a015fff 100755 --- a/bin/hardening/2.2.12_disable_samba.sh +++ b/bin/hardening/2.2.12_disable_samba.sh @@ -23,7 +23,7 @@ PACKAGES='samba' SERVICE='smbd' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -41,7 +41,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -68,18 +68,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.13_disable_http_proxy.sh b/bin/hardening/2.2.13_disable_http_proxy.sh index 6ec07cc..199039c 100755 --- a/bin/hardening/2.2.13_disable_http_proxy.sh +++ b/bin/hardening/2.2.13_disable_http_proxy.sh @@ -22,7 +22,7 @@ HARDENING_EXCEPTION=http PACKAGES='squid3 squid' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -34,7 +34,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -54,18 +54,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.14_disable_snmp_server.sh b/bin/hardening/2.2.14_disable_snmp_server.sh index b5d18c5..12fe790 100755 --- a/bin/hardening/2.2.14_disable_snmp_server.sh +++ b/bin/hardening/2.2.14_disable_snmp_server.sh @@ -22,7 +22,7 @@ HARDENING_EXCEPTION=snmp PACKAGES='snmpd' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -34,7 +34,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -54,18 +54,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.15_mta_localhost.sh b/bin/hardening/2.2.15_mta_localhost.sh index 69724df..17246e5 100755 --- a/bin/hardening/2.2.15_mta_localhost.sh +++ b/bin/hardening/2.2.15_mta_localhost.sh @@ -20,7 +20,7 @@ DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode." HARDENING_EXCEPTION=mail # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Checking netport ports opened" RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || : RESULT=${RESULT:-} @@ -29,7 +29,7 @@ audit () { ok "Nothing listens on 25 port, probably unix socket configured" else info "Checking $RESULT" - if $(grep -q "127.0.0.1" <<< $RESULT); then + if $(grep -q "127.0.0.1" <<<$RESULT); then ok "MTA is configured to localhost only" else crit "MTA listens worldwide" @@ -38,7 +38,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Checking netport ports opened" RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || : RESULT=${RESULT:-} @@ -47,7 +47,7 @@ apply () { ok "Nothing listens on 25 port, probably unix socket configured" else info "Checking $RESULT" - if $(grep -q "127.0.0.1" <<< $RESULT); then + if $(grep -q "127.0.0.1" <<<$RESULT); then ok "MTA is configured to localhost only" else warn "MTA listens worldwide, correct this considering your MTA" @@ -63,18 +63,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.16_disable_rsync.sh b/bin/hardening/2.2.16_disable_rsync.sh index e633fae..0019919 100755 --- a/bin/hardening/2.2.16_disable_rsync.sh +++ b/bin/hardening/2.2.16_disable_rsync.sh @@ -25,7 +25,7 @@ RSYNC_DEFAULT_FILE='/etc/default/rsync' RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then ok "$PACKAGE is not installed" @@ -41,7 +41,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then ok "$PACKAGE is not installed" @@ -65,18 +65,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.18_disable_telnet_server.sh b/bin/hardening/2.2.18_disable_telnet_server.sh index 5adaf20..17a5b8b 100755 --- a/bin/hardening/2.2.18_disable_telnet_server.sh +++ b/bin/hardening/2.2.18_disable_telnet_server.sh @@ -25,7 +25,7 @@ FILE='/etc/inetd.conf' PATTERN='^telnet' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -48,7 +48,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -67,7 +67,7 @@ apply () { if [ "$FNRET" = 0 ]; then warn "$PATTERN is present in $FILE, purging it" backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN) sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE else ok "$PATTERN is not present in $FILE" @@ -83,18 +83,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.2_disable_xwindow_system.sh b/bin/hardening/2.2.2_disable_xwindow_system.sh index 4131e69..0cbe0f5 100755 --- a/bin/hardening/2.2.2_disable_xwindow_system.sh +++ b/bin/hardening/2.2.2_disable_xwindow_system.sh @@ -23,7 +23,7 @@ HARDENING_EXCEPTION=x11 PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -35,7 +35,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -55,18 +55,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.3_disable_avahi_server.sh b/bin/hardening/2.2.3_disable_avahi_server.sh index 1956d41..a2b2941 100755 --- a/bin/hardening/2.2.3_disable_avahi_server.sh +++ b/bin/hardening/2.2.3_disable_avahi_server.sh @@ -20,7 +20,7 @@ DESCRIPTION="Ensure Avahi server is not enabled." PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -32,7 +32,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -52,18 +52,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.4_disable_print_server.sh b/bin/hardening/2.2.4_disable_print_server.sh index e28141b..9a2239e 100755 --- a/bin/hardening/2.2.4_disable_print_server.sh +++ b/bin/hardening/2.2.4_disable_print_server.sh @@ -22,7 +22,7 @@ HARDENING_EXCEPTION=cups PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -34,7 +34,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -54,18 +54,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.5_disable_dhcp.sh b/bin/hardening/2.2.5_disable_dhcp.sh index 53e8b9b..6d33622 100755 --- a/bin/hardening/2.2.5_disable_dhcp.sh +++ b/bin/hardening/2.2.5_disable_dhcp.sh @@ -22,7 +22,7 @@ HARDENING_EXCEPTION=dhcp PACKAGES='udhcpd isc-dhcp-server' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -34,7 +34,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -54,18 +54,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.6_disable_ldap.sh b/bin/hardening/2.2.6_disable_ldap.sh index 8b9761b..09b4a0d 100755 --- a/bin/hardening/2.2.6_disable_ldap.sh +++ b/bin/hardening/2.2.6_disable_ldap.sh @@ -22,7 +22,7 @@ HARDENING_EXCEPTION=ldap PACKAGES='slapd' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -34,7 +34,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -54,18 +54,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.7_disable_nfs_rpc.sh b/bin/hardening/2.2.7_disable_nfs_rpc.sh index 450f5af..f2b98cf 100755 --- a/bin/hardening/2.2.7_disable_nfs_rpc.sh +++ b/bin/hardening/2.2.7_disable_nfs_rpc.sh @@ -22,7 +22,7 @@ HARDENING_EXCEPTION=nfs PACKAGES='rpcbind nfs-kernel-server' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -34,7 +34,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -54,18 +54,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.8_disable_dns_server.sh b/bin/hardening/2.2.8_disable_dns_server.sh index 3941234..b330da6 100755 --- a/bin/hardening/2.2.8_disable_dns_server.sh +++ b/bin/hardening/2.2.8_disable_dns_server.sh @@ -22,7 +22,7 @@ HARDENING_EXCEPTION=dns PACKAGES='bind9 unbound' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -34,7 +34,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -54,18 +54,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.2.9_disable_ftp.sh b/bin/hardening/2.2.9_disable_ftp.sh index 9fff5ca..e0932d4 100755 --- a/bin/hardening/2.2.9_disable_ftp.sh +++ b/bin/hardening/2.2.9_disable_ftp.sh @@ -23,7 +23,7 @@ HARDENING_EXCEPTION=ftp PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -35,7 +35,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -55,18 +55,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.3.1_disable_nis.sh b/bin/hardening/2.3.1_disable_nis.sh index 9a9ae5d..113ff15 100755 --- a/bin/hardening/2.3.1_disable_nis.sh +++ b/bin/hardening/2.3.1_disable_nis.sh @@ -20,7 +20,7 @@ DESCRIPTION="Ensure that Network Information Service is not installed. Recommend PACKAGE='nis' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed!" @@ -31,7 +31,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed, purging it" @@ -49,18 +49,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.3.2_disable_rsh_client.sh b/bin/hardening/2.3.2_disable_rsh_client.sh index 8bc854d..b93b0fc 100755 --- a/bin/hardening/2.3.2_disable_rsh_client.sh +++ b/bin/hardening/2.3.2_disable_rsh_client.sh @@ -21,8 +21,8 @@ DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh." PACKAGES='rsh-client rsh-redone-client heimdal-clients' # This function will be called if the script status is on enabled / audit mode -audit () { - for PACKAGE in $PACKAGES; do +audit() { + for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then crit "$PACKAGE is installed" @@ -33,8 +33,8 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { - for PACKAGE in $PACKAGES; do +apply() { + for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then warn "$PACKAGE is installed, purging" @@ -53,18 +53,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.3.3_disable_talk_client.sh b/bin/hardening/2.3.3_disable_talk_client.sh index 345c6b2..4a63035 100755 --- a/bin/hardening/2.3.3_disable_talk_client.sh +++ b/bin/hardening/2.3.3_disable_talk_client.sh @@ -20,7 +20,7 @@ DESCRIPTION="Ensure talk client is not installed." PACKAGES='talk inetutils-talk' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -32,7 +32,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -52,18 +52,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.3.4_disable_telnet_client.sh b/bin/hardening/2.3.4_disable_telnet_client.sh index dc96166..00b75cf 100755 --- a/bin/hardening/2.3.4_disable_telnet_client.sh +++ b/bin/hardening/2.3.4_disable_telnet_client.sh @@ -20,7 +20,7 @@ DESCRIPTION="Ensure telnet client is not installed." PACKAGES='telnet' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -32,7 +32,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -52,18 +52,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/2.3.5_disable_ldap_client.sh b/bin/hardening/2.3.5_disable_ldap_client.sh index 1204ac5..ef1141d 100755 --- a/bin/hardening/2.3.5_disable_ldap_client.sh +++ b/bin/hardening/2.3.5_disable_ldap_client.sh @@ -20,7 +20,7 @@ DESCRIPTION="Ensure ldap client is not installed." PACKAGES='ldap-utils' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -32,7 +32,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for PACKAGE in $PACKAGES; do is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then @@ -52,18 +52,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.1.1_disable_ip_forwarding.sh b/bin/hardening/3.1.1_disable_ip_forwarding.sh index 5a233f3..6721066 100755 --- a/bin/hardening/3.1.1_disable_ip_forwarding.sh +++ b/bin/hardening/3.1.1_disable_ip_forwarding.sh @@ -1,6 +1,5 @@ #!/bin/bash - # run-shellcheck # # CIS Debian Hardening @@ -23,7 +22,7 @@ SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding' SYSCTL_EXP_RESULT=0 # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for SYSCTL_PARAM in $SYSCTL_PARAMS; do does_sysctl_param_exists "net.ipv6" if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 @@ -40,13 +39,13 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for SYSCTL_PARAM in $SYSCTL_PARAMS; do has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - sysctl -w net.ipv4.route.flush=1 > /dev/null + sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else @@ -62,18 +61,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.1.2_disable_send_packet_redirects.sh b/bin/hardening/3.1.2_disable_send_packet_redirects.sh index 8a392ec..aa4d2dc 100755 --- a/bin/hardening/3.1.2_disable_send_packet_redirects.sh +++ b/bin/hardening/3.1.2_disable_send_packet_redirects.sh @@ -22,7 +22,7 @@ DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption. SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) @@ -39,7 +39,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) @@ -48,7 +48,7 @@ apply () { if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - sysctl -w net.ipv4.route.flush=1 > /dev/null + sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else @@ -64,18 +64,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.1_disable_source_routed_packets.sh b/bin/hardening/3.2.1_disable_source_routed_packets.sh index 95890c6..b960f25 100755 --- a/bin/hardening/3.2.1_disable_source_routed_packets.sh +++ b/bin/hardening/3.2.1_disable_source_routed_packets.sh @@ -20,7 +20,7 @@ DESCRIPTION="Disable source routed packet acceptance." SYSCTL_PARAMS='' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do does_sysctl_param_exists "net.ipv6" if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 @@ -40,7 +40,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) @@ -49,7 +49,7 @@ apply () { if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - sysctl -w net.ipv4.route.flush=1 > /dev/null + sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else @@ -73,18 +73,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.2_disable_icmp_redirect.sh b/bin/hardening/3.2.2_disable_icmp_redirect.sh index 62ab01a..fd58e27 100755 --- a/bin/hardening/3.2.2_disable_icmp_redirect.sh +++ b/bin/hardening/3.2.2_disable_icmp_redirect.sh @@ -20,14 +20,14 @@ DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruptio SYSCTL_PARAMS='' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do does_sysctl_param_exists "net.ipv6" if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" - + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ "$FNRET" != 0 ]; then crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" @@ -41,7 +41,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) @@ -50,7 +50,7 @@ apply () { if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - sysctl -w net.ipv4.route.flush=1 > /dev/null + sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else @@ -74,18 +74,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh b/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh index b74a9d1..597fc78 100755 --- a/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh +++ b/bin/hardening/3.2.3_disable_secure_icmp_redirect.sh @@ -20,7 +20,7 @@ DESCRIPTION="Disable secure ICMP redirect acceptance to prevent routing tables c SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) @@ -37,7 +37,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) @@ -46,7 +46,7 @@ apply () { if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - sysctl -w net.ipv4.route.flush=1 > /dev/null + sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else @@ -62,18 +62,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.4_log_martian_packets.sh b/bin/hardening/3.2.4_log_martian_packets.sh index 9d56f0c..3292810 100755 --- a/bin/hardening/3.2.4_log_martian_packets.sh +++ b/bin/hardening/3.2.4_log_martian_packets.sh @@ -20,7 +20,7 @@ DESCRIPTION="Log suspicious packets, like spoofed packets." SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) @@ -37,7 +37,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) @@ -46,7 +46,7 @@ apply () { if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - sysctl -w net.ipv4.route.flush=1 > /dev/null + sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else @@ -62,18 +62,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.5_ignore_broadcast_requests.sh b/bin/hardening/3.2.5_ignore_broadcast_requests.sh index 953ab2a..9d12a22 100755 --- a/bin/hardening/3.2.5_ignore_broadcast_requests.sh +++ b/bin/hardening/3.2.5_ignore_broadcast_requests.sh @@ -20,7 +20,7 @@ DESCRIPTION="Ignore broadcast requests to prevent attacks such as Smurf attack." SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) @@ -37,7 +37,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) @@ -46,7 +46,7 @@ apply () { if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - sysctl -w net.ipv4.route.flush=1 > /dev/null + sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else @@ -62,18 +62,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.6_enable_bad_error_message_protection.sh b/bin/hardening/3.2.6_enable_bad_error_message_protection.sh index 35ec96a..e66d3cd 100755 --- a/bin/hardening/3.2.6_enable_bad_error_message_protection.sh +++ b/bin/hardening/3.2.6_enable_bad_error_message_protection.sh @@ -20,7 +20,7 @@ DESCRIPTION="Enable bad error message protection to prevent logfiles fillup." SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) @@ -37,7 +37,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) @@ -46,7 +46,7 @@ apply () { if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - sysctl -w net.ipv4.route.flush=1 > /dev/null + sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else @@ -62,20 +62,20 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 -fi \ No newline at end of file +fi diff --git a/bin/hardening/3.2.7_enable_source_route_validation.sh b/bin/hardening/3.2.7_enable_source_route_validation.sh index 8b0faed..908824e 100755 --- a/bin/hardening/3.2.7_enable_source_route_validation.sh +++ b/bin/hardening/3.2.7_enable_source_route_validation.sh @@ -20,7 +20,7 @@ DESCRIPTION="Enable RFC-recommended source route validation." SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) @@ -37,7 +37,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) @@ -46,7 +46,7 @@ apply () { if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - sysctl -w net.ipv4.route.flush=1 > /dev/null + sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else @@ -62,18 +62,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh b/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh index f44cf75..68df5d2 100755 --- a/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh +++ b/bin/hardening/3.2.8_enable_tcp_syn_cookies.sh @@ -20,7 +20,7 @@ DESCRIPTION="Enable TCP-SYN cookie to prevent TCP-SYN flood attack." SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) @@ -37,7 +37,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for SYSCTL_VALUES in $SYSCTL_PARAMS; do SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) @@ -46,7 +46,7 @@ apply () { if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - sysctl -w net.ipv4.route.flush=1 > /dev/null + sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else @@ -62,18 +62,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh b/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh index 974933f..f387d38 100755 --- a/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh +++ b/bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh @@ -20,7 +20,7 @@ DESCRIPTION="Disable IPv6 router advertisements." SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_sysctl_param_exists "net.ipv6" if [ "$FNRET" != 0 ]; then ok "ipv6 is disabled" @@ -42,7 +42,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_sysctl_param_exists "net.ipv6" if [ "$FNRET" != 0 ]; then ok "ipv6 is disabled" @@ -55,7 +55,7 @@ apply () { if [ "$FNRET" != 0 ]; then warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing" set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT - sysctl -w net.ipv4.route.flush=1 > /dev/null + sysctl -w net.ipv4.route.flush=1 >/dev/null elif [ "$FNRET" = 255 ]; then warn "$SYSCTL_PARAM does not exist -- Typo?" else @@ -72,18 +72,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.3.1_install_tcp_wrapper.sh b/bin/hardening/3.3.1_install_tcp_wrapper.sh index 901939a..73b9432 100755 --- a/bin/hardening/3.3.1_install_tcp_wrapper.sh +++ b/bin/hardening/3.3.1_install_tcp_wrapper.sh @@ -20,7 +20,7 @@ DESCRIPTION="Install TCP wrappers for simple access list management and standard PACKAGE='tcpd' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -30,14 +30,14 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { - is_pkg_installed "$PACKAGE" - if [ "$FNRET" = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE - fi +apply() { + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi } # This function will check config parameters required @@ -47,18 +47,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.3.2_hosts_allow.sh b/bin/hardening/3.3.2_hosts_allow.sh index bb9d7a4..c90e572 100755 --- a/bin/hardening/3.3.2_hosts_allow.sh +++ b/bin/hardening/3.3.2_hosts_allow.sh @@ -20,7 +20,7 @@ DESCRIPTION="Create /etc/hosts.allow ." FILE='/etc/hosts.allow' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" @@ -30,7 +30,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" @@ -48,18 +48,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.3.3_hosts_deny.sh b/bin/hardening/3.3.3_hosts_deny.sh index f8e444f..c7d4e0d 100755 --- a/bin/hardening/3.3.3_hosts_deny.sh +++ b/bin/hardening/3.3.3_hosts_deny.sh @@ -21,7 +21,7 @@ FILE='/etc/hosts.deny' PATTERN='ALL: ALL' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" @@ -37,7 +37,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" @@ -62,18 +62,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.3.4_hosts_allow_permissions.sh b/bin/hardening/3.3.4_hosts_allow_permissions.sh index bb9e8b5..47fb315 100755 --- a/bin/hardening/3.3.4_hosts_allow_permissions.sh +++ b/bin/hardening/3.3.4_hosts_allow_permissions.sh @@ -23,7 +23,7 @@ USER='root' GROUP='root' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" @@ -39,7 +39,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" @@ -56,18 +56,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.3.5_hosts_deny_permissions.sh b/bin/hardening/3.3.5_hosts_deny_permissions.sh index 22c8288..51b4cda 100755 --- a/bin/hardening/3.3.5_hosts_deny_permissions.sh +++ b/bin/hardening/3.3.5_hosts_deny_permissions.sh @@ -23,7 +23,7 @@ USER='root' GROUP='root' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" @@ -39,7 +39,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" @@ -56,18 +56,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.4.1_disable_dccp.sh b/bin/hardening/3.4.1_disable_dccp.sh index 0745f62..53ac32e 100755 --- a/bin/hardening/3.4.1_disable_dccp.sh +++ b/bin/hardening/3.4.1_disable_dccp.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=2 DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Not implemented yet" } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Not implemented yet" } @@ -34,18 +34,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.4.2_disable_sctp.sh b/bin/hardening/3.4.2_disable_sctp.sh index 0663987..080d3cc 100755 --- a/bin/hardening/3.4.2_disable_sctp.sh +++ b/bin/hardening/3.4.2_disable_sctp.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=2 DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Not implemented yet" } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Not implemented yet" } @@ -34,18 +34,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.4.3_disable_rds.sh b/bin/hardening/3.4.3_disable_rds.sh index 3851b71..651d7a9 100755 --- a/bin/hardening/3.4.3_disable_rds.sh +++ b/bin/hardening/3.4.3_disable_rds.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=2 DESCRIPTION="Disable Reliable Datagram Sockets (RDS)." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Not implemented yet" } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Not implemented yet" } @@ -34,18 +34,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.4.4_disable_tipc.sh b/bin/hardening/3.4.4_disable_tipc.sh index 8b529e5..06a8445 100755 --- a/bin/hardening/3.4.4_disable_tipc.sh +++ b/bin/hardening/3.4.4_disable_tipc.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=2 DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Not implemented yet" } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Not implemented yet" } @@ -34,18 +34,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh b/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh index 4cbadb1..8b5033e 100755 --- a/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh +++ b/bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh @@ -22,12 +22,12 @@ FW_CHAINS="INPUT FORWARD" FW_POLICY="DROP" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" else - ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true ) + ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true) if [[ -z $ipt ]]; then crit "Empty return from $PACKAGE command. Aborting..." return @@ -50,7 +50,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -61,12 +61,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/3.5_enable_firewall.sh b/bin/hardening/3.5_enable_firewall.sh index e02dbfb..5529961 100755 --- a/bin/hardening/3.5_enable_firewall.sh +++ b/bin/hardening/3.5_enable_firewall.sh @@ -17,13 +17,13 @@ HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)." -# Quick note here : CIS recommends your iptables rules to be persistent. +# Quick note here : CIS recommends your iptables rules to be persistent. # Do as you want, but this script does not handle this PACKAGE='iptables' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -33,14 +33,14 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { - is_pkg_installed "$PACKAGE" - if [ "$FNRET" = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE - fi +apply() { + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi } # This function will check config parameters required @@ -50,18 +50,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.6_disable_wireless.sh b/bin/hardening/3.6_disable_wireless.sh index f167e34..f11b039 100755 --- a/bin/hardening/3.6_disable_wireless.sh +++ b/bin/hardening/3.6_disable_wireless.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Deactivate wireless interfaces." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Not implemented yet" } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Not implemented yet" } @@ -34,14 +34,14 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi ## Source Root Dir Parameter #if [ ! -r /etc/default/cis-hardening ]; then # echo "There is no /etc/default/cis-hardening file, cannot source CIS_ROOT_DIR variable, aborting" @@ -53,11 +53,11 @@ fi # echo "No CIS_ROOT_DIR variable, aborting" # exit 128 # fi -#fi +#fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/3.7_disable_ipv6.sh b/bin/hardening/3.7_disable_ipv6.sh index 746b21e..bf399fe 100755 --- a/bin/hardening/3.7_disable_ipv6.sh +++ b/bin/hardening/3.7_disable_ipv6.sh @@ -20,7 +20,7 @@ DESCRIPTION="Disable IPv6." SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_sysctl_param_exists "net.ipv6" if [ "$FNRET" != 0 ]; then ok "ipv6 is disabled" @@ -42,7 +42,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_sysctl_param_exists "net.ipv6" if [ "$FNRET" != 0 ]; then ok "ipv6 is disabled" @@ -72,18 +72,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.1.1_audit_log_storage.sh b/bin/hardening/4.1.1.1_audit_log_storage.sh index cc2ec34..f182ca8 100755 --- a/bin/hardening/4.1.1.1_audit_log_storage.sh +++ b/bin/hardening/4.1.1.1_audit_log_storage.sh @@ -22,7 +22,7 @@ PATTERN='max_log_file' VALUE=5 # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" @@ -38,7 +38,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" @@ -62,18 +62,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh index 2b7c2fa..2e33bc4 100755 --- a/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh +++ b/bin/hardening/4.1.1.2_halt_when_audit_log_full.sh @@ -21,29 +21,29 @@ FILE='/etc/audit/auditd.conf' OPTIONS='' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else ok "$FILE exists, checking configuration" for AUDIT_OPTION in $OPTIONS; do - AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) - AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) - PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" - debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ "$FNRET" != 0 ]; then - crit "$PATTERN is not present in $FILE" - else - ok "$PATTERN is present in $FILE" - fi + AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) + AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ "$FNRET" != 0 ]; then + crit "$PATTERN is not present in $FILE" + else + ok "$PATTERN is present in $FILE" + fi done fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" @@ -79,7 +79,7 @@ check_config() { } create_config() { - cat << EOF + cat < /dev/null 2>&1 - update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1 - fi +apply() { + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then + ok "$PACKAGE is installed" + else + warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + is_service_enabled "$SERVICE_NAME" + if [ "$FNRET" = 0 ]; then + ok "$SERVICE_NAME is enabled" + else + warn "$SERVICE_NAME is not enabled, enabling it" + update-rc.d $SERVICE_NAME remove >/dev/null 2>&1 + update-rc.d $SERVICE_NAME defaults >/dev/null 2>&1 + fi } # This function will check config parameters required @@ -62,18 +62,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.3_audit_bootloader.sh b/bin/hardening/4.1.3_audit_bootloader.sh index e107403..e5de327 100755 --- a/bin/hardening/4.1.3_audit_bootloader.sh +++ b/bin/hardening/4.1.3_audit_bootloader.sh @@ -21,29 +21,29 @@ FILE='/etc/default/grub' OPTIONS='GRUB_CMDLINE_LINUX="audit=1"' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then crit "$FILE does not exist" else ok "$FILE exists, checking configuration" for GRUB_OPTION in $OPTIONS; do - GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) - GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) - PATTERN="^$GRUB_PARAM=$GRUB_VALUE" - debug "$GRUB_PARAM should be set to $GRUB_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ "$FNRET" != 0 ]; then - crit "$PATTERN is not present in $FILE" - else - ok "$PATTERN is present in $FILE" - fi + GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) + GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) + PATTERN="^$GRUB_PARAM=$GRUB_VALUE" + debug "$GRUB_PARAM should be set to $GRUB_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ "$FNRET" != 0 ]; then + crit "$PATTERN is not present in $FILE" + else + ok "$PATTERN is present in $FILE" + fi done fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then warn "$FILE does not exist, creating it" @@ -61,7 +61,7 @@ apply () { warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file $FILE "^$GRUB_PARAM" if [ "$FNRET" != 0 ]; then - info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end" + info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end" add_end_of_file $FILE "$GRUB_PARAM = $GRUB_VALUE" else info "Parameter $GRUB_PARAM is present but with the wrong value -- Fixing" @@ -80,18 +80,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.4_record_date_time_edit.sh b/bin/hardening/4.1.4_record_date_time_edit.sh index 3a689fb..7aebb06 100755 --- a/bin/hardening/4.1.4_record_date_time_edit.sh +++ b/bin/hardening/4.1.4_record_date_time_edit.sh @@ -25,7 +25,7 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-cha FILE='/etc/audit/audit.rules' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { # define custom IFS and save default one d_IFS=$IFS c_IFS=$'\n' @@ -45,7 +45,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" @@ -67,18 +67,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.5_record_user_group_edit.sh b/bin/hardening/4.1.5_record_user_group_edit.sh index 64776d7..fc0897d 100755 --- a/bin/hardening/4.1.5_record_user_group_edit.sh +++ b/bin/hardening/4.1.5_record_user_group_edit.sh @@ -25,7 +25,7 @@ AUDIT_PARAMS='-w /etc/group -p wa -k identity FILE='/etc/audit/audit.rules' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { # define custom IFS and save default one d_IFS=$IFS c_IFS=$'\n' @@ -45,7 +45,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" @@ -67,18 +67,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.6_record_network_edit.sh b/bin/hardening/4.1.6_record_network_edit.sh index d236946..b07a9c3 100755 --- a/bin/hardening/4.1.6_record_network_edit.sh +++ b/bin/hardening/4.1.6_record_network_edit.sh @@ -26,7 +26,7 @@ AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k syst FILE='/etc/audit/audit.rules' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { # define custom IFS and save default one d_IFS=$IFS c_IFS=$'\n' @@ -46,7 +46,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" @@ -68,18 +68,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.7_record_mac_edit.sh b/bin/hardening/4.1.7_record_mac_edit.sh index 27bd729..dccae10 100755 --- a/bin/hardening/4.1.7_record_mac_edit.sh +++ b/bin/hardening/4.1.7_record_mac_edit.sh @@ -21,7 +21,7 @@ AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy' FILE='/etc/audit/audit.rules' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { # define custom IFS and save default one d_IFS=$IFS c_IFS=$'\n' @@ -41,7 +41,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" @@ -63,18 +63,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.8_record_login_logout.sh b/bin/hardening/4.1.8_record_login_logout.sh index fd07f81..acab050 100755 --- a/bin/hardening/4.1.8_record_login_logout.sh +++ b/bin/hardening/4.1.8_record_login_logout.sh @@ -23,7 +23,7 @@ AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins FILE='/etc/audit/audit.rules' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { # define custom IFS and save default one d_IFS=$IFS c_IFS=$'\n' @@ -43,7 +43,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" @@ -65,18 +65,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.1.9_record_session_init.sh b/bin/hardening/4.1.9_record_session_init.sh index bb6ba1a..a7dbd1c 100755 --- a/bin/hardening/4.1.9_record_session_init.sh +++ b/bin/hardening/4.1.9_record_session_init.sh @@ -23,7 +23,7 @@ AUDIT_PARAMS='-w /var/run/utmp -p wa -k session FILE='/etc/audit/audit.rules' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { # define custom IFS and save default one d_IFS=$IFS c_IFS=$'\n' @@ -43,7 +43,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" @@ -65,18 +65,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.2.2.1_enable_syslog-ng.sh b/bin/hardening/4.2.2.1_enable_syslog-ng.sh index 7708019..b172f67 100755 --- a/bin/hardening/4.2.2.1_enable_syslog-ng.sh +++ b/bin/hardening/4.2.2.1_enable_syslog-ng.sh @@ -20,7 +20,7 @@ DESCRIPTION="Ensure syslog-ng service is activated." SERVICE_NAME="syslog-ng" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Checking if $SERVICE_NAME is enabled" is_service_enabled "$SERVICE_NAME" if [ "$FNRET" = 0 ]; then @@ -31,13 +31,13 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Checking if $SERVICE_NAME is enabled" is_service_enabled "$SERVICE_NAME" if [ "$FNRET" != 0 ]; then info "Enabling $SERVICE_NAME" - update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 - update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1 + update-rc.d $SERVICE_NAME remove >/dev/null 2>&1 + update-rc.d $SERVICE_NAME defaults >/dev/null 2>&1 else ok "$SERVICE_NAME is enabled" fi @@ -50,18 +50,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.2.2.2_configure_syslog-ng.sh b/bin/hardening/4.2.2.2_configure_syslog-ng.sh index 5e2218c..db2f82f 100755 --- a/bin/hardening/4.2.2.2_configure_syslog-ng.sh +++ b/bin/hardening/4.2.2.2_configure_syslog-ng.sh @@ -20,13 +20,13 @@ DESCRIPTION="Configure /etc/syslog-ng/syslog-ng.conf ." SERVICE_NAME="syslog-ng" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Ensure default and local facilities are preserved on the system" info "No measure here, please review the file by yourself" } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Ensure default and local facilities are preserved on the system" info "No measure here, please review the file by yourself" } @@ -38,18 +38,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh b/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh index 5dbf52c..d1457bf 100755 --- a/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh +++ b/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh @@ -25,7 +25,7 @@ GROUP='' EXCEPTIONS='' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2) for FILE in $FILES; do does_file_exist "$FILE" @@ -33,16 +33,16 @@ audit () { warn "$FILE does not exist" else FOUND_EXC=0 - if grep -q "$FILE" <(tr ' ' '\n' <<< "$EXCEPTIONS" | cut -d ":" -f 1); then + if grep -q "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then debug "$FILE is found in exceptions" debug "Setting special user:group:perm" FOUND_EXC=1 local user_bak="$USER" local group_bak="$GROUP" local perm_bak="$PERMISSIONS" - USER="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)" - GROUP="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)" - PERMISSIONS="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)" + USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)" + GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)" + PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)" fi has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then @@ -67,7 +67,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for FILE in $FILES; do does_file_exist "$FILE" if [ "$FNRET" != 0 ]; then @@ -81,16 +81,16 @@ apply () { touch "$FILE" fi FOUND_EXC=0 - if grep "$FILE" <(tr ' ' '\n' <<< "$EXCEPTIONS" | cut -d ":" -f 1); then + if grep "$FILE" <(tr ' ' '\n' <<<"$EXCEPTIONS" | cut -d ":" -f 1); then debug "$FILE is found in exceptions" debug "Setting special user:group:perm" FOUND_EXC=1 local user_bak="$USER" local group_bak="$GROUP" local perm_bak="$PERMISSIONS" - USER="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)" - GROUP="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)" - PERMISSIONS="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)" + USER="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)" + GROUP="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)" + PERMISSIONS="$(tr ' ' '\n' <<<"$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)" fi has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then @@ -145,12 +145,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/4.2.2.4_syslog-ng_remote_host.sh b/bin/hardening/4.2.2.4_syslog-ng_remote_host.sh index 87389a0..a5739f7 100755 --- a/bin/hardening/4.2.2.4_syslog-ng_remote_host.sh +++ b/bin/hardening/4.2.2.4_syslog-ng_remote_host.sh @@ -20,11 +20,11 @@ DESCRIPTION="Configure syslog-ng to send logs to a remote log host." PATTERN='destination[[:alnum:][:space:]*{]+(tcp|udp)[[:space:]]*\(\"[[:alnum:].]+\".' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { FOUND=0 FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L $SYSLOG_BASEDIR/conf.d/ -type f)" for FILE in $FILES; do - does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" + does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then FOUND=1 fi @@ -38,11 +38,11 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { FOUND=0 FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L $SYSLOG_BASEDIR/conf.d/ -type f)" for FILE in $FILES; do - does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" + does_pattern_exist_in_file_multiline "$FILE" "$PATTERN" if [ "$FNRET" = 0 ]; then FOUND=1 fi @@ -69,18 +69,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh b/bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh index 10b5eb5..30eb688 100755 --- a/bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh +++ b/bin/hardening/4.2.2.5_remote_syslog-ng_acl.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Not implemented yet" } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Not implemented yet" } @@ -34,18 +34,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.2.3_install_syslog-ng.sh b/bin/hardening/4.2.3_install_syslog-ng.sh index 6d6cfe6..dffc773 100755 --- a/bin/hardening/4.2.3_install_syslog-ng.sh +++ b/bin/hardening/4.2.3_install_syslog-ng.sh @@ -21,7 +21,7 @@ DESCRIPTION="Install syslog-ng to manage logs" PACKAGE='syslog-ng' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -31,14 +31,14 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { - is_pkg_installed "$PACKAGE" - if [ "$FNRET" = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE - fi +apply() { + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi } # This function will check config parameters required @@ -48,18 +48,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.2.4_logs_permissions.sh b/bin/hardening/4.2.4_logs_permissions.sh index 0c25df9..7775a57 100755 --- a/bin/hardening/4.2.4_logs_permissions.sh +++ b/bin/hardening/4.2.4_logs_permissions.sh @@ -21,17 +21,16 @@ DIR='/var/log' PERMISSIONS='640' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { ERRORS=0 - for FILE in $($SUDO_CMD find $DIR -type f); - do + for FILE in $($SUDO_CMD find $DIR -type f); do has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" else - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) crit "$FILE permissions were not set to $PERMISSIONS" - fi + fi done if [ $ERRORS = 0 ]; then @@ -40,10 +39,9 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { ERRORS=0 - for FILE in $($SUDO_CMD find $DIR -type f); - do + for FILE in $($SUDO_CMD find $DIR -type f); do has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" @@ -52,7 +50,7 @@ apply () { chmod 0"$PERMISSIONS" "$FILE" fi done - + if [ $ERRORS = 0 ]; then ok "Logs in $DIR have correct permissions" fi @@ -65,18 +63,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/4.3_configure_logrotate.sh b/bin/hardening/4.3_configure_logrotate.sh index eccc511..72c58aa 100755 --- a/bin/hardening/4.3_configure_logrotate.sh +++ b/bin/hardening/4.3_configure_logrotate.sh @@ -19,13 +19,13 @@ DESCRIPTION="Configure logrotate to prevent logfile from growing unmanageable." SERVICE_NAME="syslog-ng" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Ensure logs are properly rotated (especially syslog-ng)" info "No measure here, please review the files by yourself" } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Ensure logs are properly rotated (especially syslog-ng)" info "No measure here, please review the file by yourself" } @@ -37,18 +37,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.1.1_enable_cron.sh b/bin/hardening/5.1.1_enable_cron.sh index c60c4eb..a908fa2 100755 --- a/bin/hardening/5.1.1_enable_cron.sh +++ b/bin/hardening/5.1.1_enable_cron.sh @@ -21,7 +21,7 @@ PACKAGE="cron" SERVICE_NAME="cron" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -37,7 +37,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" @@ -47,12 +47,12 @@ apply () { is_service_enabled "$SERVICE_NAME" if [ "$FNRET" != 0 ]; then info "Enabling $SERVICE_NAME" - update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 - update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1 + update-rc.d $SERVICE_NAME remove >/dev/null 2>&1 + update-rc.d $SERVICE_NAME defaults >/dev/null 2>&1 else ok "$SERVICE_NAME is enabled" fi - fi + fi } # This function will check config parameters required @@ -62,18 +62,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.1.2_crontab_perm_ownership.sh b/bin/hardening/5.1.2_crontab_perm_ownership.sh index 4177fb4..1b380b7 100755 --- a/bin/hardening/5.1.2_crontab_perm_ownership.sh +++ b/bin/hardening/5.1.2_crontab_perm_ownership.sh @@ -23,7 +23,7 @@ USER='root' GROUP='root' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" @@ -35,11 +35,11 @@ audit () { ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" - fi + fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then info "$FILE does not exist" @@ -77,18 +77,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh index c2d61bd..6a71213 100755 --- a/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh +++ b/bin/hardening/5.1.3_cron_hourly_perm_ownership.sh @@ -23,7 +23,7 @@ USER='root' GROUP='root' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" @@ -35,11 +35,11 @@ audit () { ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" - fi + fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then info "$FILE does not exist" @@ -77,18 +77,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh index 5307954..7df44fb 100755 --- a/bin/hardening/5.1.4_cron_daily_perm_ownership.sh +++ b/bin/hardening/5.1.4_cron_daily_perm_ownership.sh @@ -23,7 +23,7 @@ USER='root' GROUP='root' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" @@ -35,11 +35,11 @@ audit () { ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" - fi + fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then info "$FILE does not exist" @@ -77,18 +77,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh index 779af01..fe7f827 100755 --- a/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh +++ b/bin/hardening/5.1.5_cron_weekly_perm_ownership.sh @@ -23,7 +23,7 @@ USER='root' GROUP='root' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" @@ -35,11 +35,11 @@ audit () { ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" - fi + fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then info "$FILE does not exist" @@ -77,18 +77,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh index b28efdb..3b733b8 100755 --- a/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh +++ b/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh @@ -23,7 +23,7 @@ USER='root' GROUP='root' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" @@ -35,11 +35,11 @@ audit () { ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" - fi + fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then info "$FILE does not exist" @@ -77,18 +77,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.1.7_cron_d_perm_ownership.sh b/bin/hardening/5.1.7_cron_d_perm_ownership.sh index 4d51e54..65ce568 100755 --- a/bin/hardening/5.1.7_cron_d_perm_ownership.sh +++ b/bin/hardening/5.1.7_cron_d_perm_ownership.sh @@ -23,7 +23,7 @@ USER='root' GROUP='root' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" @@ -35,11 +35,11 @@ audit () { ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" - fi + fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then info "$FILE does not exist" @@ -77,18 +77,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.1.8_cron_users.sh b/bin/hardening/5.1.8_cron_users.sh index 539a396..d6d364e 100755 --- a/bin/hardening/5.1.8_cron_users.sh +++ b/bin/hardening/5.1.8_cron_users.sh @@ -24,7 +24,7 @@ USER='root' GROUP='root' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for FILE in $FILES_ABSENT; do does_file_exist $FILE if [ "$FNRET" = 0 ]; then @@ -49,13 +49,13 @@ audit () { ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" - fi + fi fi done } # This function will be called if the script status is on enabled mode -apply () { +apply() { for FILE in $FILES_ABSENT; do does_file_exist $FILE if [ "$FNRET" = 0 ]; then @@ -104,18 +104,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.10_disable_root_login.sh b/bin/hardening/5.2.10_disable_root_login.sh index 0932c6e..727ca1d 100755 --- a/bin/hardening/5.2.10_disable_root_login.sh +++ b/bin/hardening/5.2.10_disable_root_login.sh @@ -22,7 +22,7 @@ OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -43,7 +43,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" @@ -52,23 +52,23 @@ apply () { apt_install $PACKAGE fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ "$FNRET" = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" + if [ "$FNRET" != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi + /etc/init.d/ssh reload + fi done } @@ -78,7 +78,7 @@ check_config() { } create_config() { - cat << EOF + cat < /dev/null 2>&1 + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi + /etc/init.d/ssh reload >/dev/null 2>&1 + fi done } @@ -89,12 +89,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/5.2.15_ssh_cry_kex.sh b/bin/hardening/5.2.15_ssh_cry_kex.sh index 3ba9076..f901477 100755 --- a/bin/hardening/5.2.15_ssh_cry_kex.sh +++ b/bin/hardening/5.2.15_ssh_cry_kex.sh @@ -22,7 +22,7 @@ OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -43,7 +43,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" @@ -52,23 +52,23 @@ apply () { apt_install $PACKAGE fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file_nocase $FILE "$PATTERN" + if [ "$FNRET" = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" + if [ "$FNRET" != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" - if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload > /dev/null 2>&1 + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi + /etc/init.d/ssh reload >/dev/null 2>&1 + fi done } @@ -91,7 +91,6 @@ OPTIONS="KexAlgorithms=$KEX" EOF } - # This function will check config parameters required check_config() { : @@ -99,12 +98,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/5.2.16_sshd_idle_timeout.sh b/bin/hardening/5.2.16_sshd_idle_timeout.sh index a7ffd57..d36907f 100755 --- a/bin/hardening/5.2.16_sshd_idle_timeout.sh +++ b/bin/hardening/5.2.16_sshd_idle_timeout.sh @@ -23,7 +23,7 @@ OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -44,7 +44,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" @@ -53,23 +53,23 @@ apply () { apt_install $PACKAGE fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ "$FNRET" = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" + if [ "$FNRET" != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi + /etc/init.d/ssh reload + fi done } @@ -90,18 +90,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.17_sshd_login_grace_time.sh b/bin/hardening/5.2.17_sshd_login_grace_time.sh index 7f035f8..5397842 100755 --- a/bin/hardening/5.2.17_sshd_login_grace_time.sh +++ b/bin/hardening/5.2.17_sshd_login_grace_time.sh @@ -22,7 +22,7 @@ OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -43,7 +43,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" @@ -52,23 +52,23 @@ apply () { apt_install $PACKAGE fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ "$FNRET" = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" + if [ "$FNRET" != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi + /etc/init.d/ssh reload + fi done } @@ -89,18 +89,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.18_sshd_limit_access.sh b/bin/hardening/5.2.18_sshd_limit_access.sh index 6b15a71..2085d3b 100755 --- a/bin/hardening/5.2.18_sshd_limit_access.sh +++ b/bin/hardening/5.2.18_sshd_limit_access.sh @@ -21,7 +21,7 @@ PACKAGE='openssh-server' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'" is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then @@ -31,7 +31,7 @@ audit () { for SSH_OPTION in $OPTIONS; do SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE) + SSH_VALUE=$(sed "s/'//g" <<<$SSH_VALUE) PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ "$FNRET" = 0 ]; then @@ -44,7 +44,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" @@ -53,24 +53,24 @@ apply () { apt_install $PACKAGE fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_VALUE=$(sed "s/'//g" <<<$SSH_VALUE) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ "$FNRET" = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" + if [ "$FNRET" != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi + /etc/init.d/ssh reload + fi done } @@ -109,18 +109,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.19_ssh_banner.sh b/bin/hardening/5.2.19_ssh_banner.sh index 578d285..fe1d466 100755 --- a/bin/hardening/5.2.19_ssh_banner.sh +++ b/bin/hardening/5.2.19_ssh_banner.sh @@ -21,7 +21,7 @@ PACKAGE='openssh-server' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { OPTIONS="Banner=$BANNER_FILE" is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then @@ -42,7 +42,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" @@ -51,22 +51,22 @@ apply () { apt_install $PACKAGE fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ "$FNRET" = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" + if [ "$FNRET" != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present and activated" - fi - /etc/init.d/ssh reload + info "Parameter $SSH_PARAM is present and activated" fi + /etc/init.d/ssh reload + fi done } @@ -89,18 +89,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh b/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh index 8339535..2df728e 100755 --- a/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh +++ b/bin/hardening/5.2.1_sshd_conf_perm_ownership.sh @@ -23,7 +23,7 @@ USER='root' GROUP='root' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" @@ -35,11 +35,11 @@ audit () { ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" - fi + fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_file_exist $FILE if [ "$FNRET" != 0 ]; then info "$FILE does not exist" @@ -77,18 +77,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh index 3ed61a7..dbfdb9f 100755 --- a/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh +++ b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh @@ -23,15 +23,14 @@ USER='root' GROUP='root' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { ERRORS=0 - for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); - do + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" else - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) crit "$FILE permissions were not set to $PERMISSIONS" fi @@ -42,27 +41,25 @@ audit () { fi ERRORS=0 - for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); - do + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$FILE ownership was set to $USER:$GROUP" else - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) crit "$FILE ownership was not set to $USER:$GROUP" fi done - + if [ $ERRORS = 0 ]; then ok "SSH private keys in $DIR have correct ownership" fi } # This function will be called if the script status is on enabled mode -apply () { - for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); - do +apply() { + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then ok "$FILE ownership was set to $USER:$GROUP" @@ -73,8 +70,7 @@ apply () { fi done - for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); - do + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); do has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" @@ -84,7 +80,6 @@ apply () { fi done - } # This function will check config parameters required @@ -103,18 +98,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh index 8a59c7c..8406fea 100755 --- a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh +++ b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh @@ -23,10 +23,9 @@ USER='root' GROUP='root' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { ERRORS=0 - for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); - do + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); do has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" @@ -39,7 +38,7 @@ audit () { if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" else - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) crit "$FILE permissions were not set to $PERMISSIONS" fi fi @@ -52,27 +51,25 @@ audit () { fi ERRORS=0 - for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); - do + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); do has_file_correct_ownership "$FILE" "$USER" "$GROUP" - if [ "$FNRET" = 0 ]; then + if [ "$FNRET" = 0 ]; then ok "$FILE ownership was set to $USER:$GROUP" else - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) crit "$FILE ownership was not set to $USER:$GROUP" fi done - + if [ $ERRORS = 0 ]; then ok "SSH public keys in $DIR have correct ownership" fi } # This function will be called if the script status is on enabled mode -apply () { - for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); - do +apply() { + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); do has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE permissions were set to $PERMISSIONS" @@ -92,8 +89,7 @@ apply () { fi done - for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); - do + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); do has_file_correct_ownership "$FILE" "$USER" "$GROUP" if [ "$FNRET" = 0 ]; then ok "$FILE ownership was set to $USER:$GROUP" @@ -102,7 +98,7 @@ apply () { chown $USER:$GROUP $FILE fi done - + } # This function will check config parameters required @@ -121,18 +117,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/5.2.4_sshd_protocol.sh b/bin/hardening/5.2.4_sshd_protocol.sh index 5607051..9cb3c6f 100755 --- a/bin/hardening/5.2.4_sshd_protocol.sh +++ b/bin/hardening/5.2.4_sshd_protocol.sh @@ -22,7 +22,7 @@ OPTIONS='' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -43,7 +43,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" @@ -52,23 +52,23 @@ apply () { apt_install $PACKAGE fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ "$FNRET" = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" + if [ "$FNRET" != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload > /dev/null 2>&1 + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi + /etc/init.d/ssh reload >/dev/null 2>&1 + fi done } @@ -78,7 +78,7 @@ check_config() { } create_config() { - cat << EOF + cat < /dev/null 2>&1 + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi + /etc/init.d/ssh reload >/dev/null 2>&1 + fi done } # This function will create the config file for this check with default values create_config() { - cat << EOF + cat < /dev/null 2>&1 + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi + /etc/init.d/ssh reload >/dev/null 2>&1 + fi done } @@ -79,7 +79,7 @@ check_config() { # This function will create the config file for this check with default values create_config() { - cat << EOF + cat </dev/null) + FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'}) + RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null) if [ ! -z "$RESULT" ]; then crit "Some world writable files are present" - FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else ok "No world writable files found" @@ -32,11 +32,11 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) if [ ! -z "$RESULT" ]; then warn "chmoding o-w all files in the system" - df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null| xargs chmod o-w + df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w else ok "No world writable files found, nothing to apply" fi @@ -50,18 +50,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.1.11_find_unowned_files.sh b/bin/hardening/6.1.11_find_unowned_files.sh index adfbd3c..65fba68 100755 --- a/bin/hardening/6.1.11_find_unowned_files.sh +++ b/bin/hardening/6.1.11_find_unowned_files.sh @@ -21,17 +21,17 @@ USER='root' EXCLUDED='' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Checking if there are unowned files" - FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) + FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'}) if [ ! -z $EXCLUDED ]; then - RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) + RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) else - RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null) + RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null) fi if [ ! -z "$RESULT" ]; then crit "Some unowned files are present" - FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else ok "No unowned files found" @@ -39,7 +39,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ ! -z $EXCLUDED ]; then RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) else @@ -61,18 +61,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.1.12_find_ungrouped_files.sh b/bin/hardening/6.1.12_find_ungrouped_files.sh index c41498e..6f9bfdc 100755 --- a/bin/hardening/6.1.12_find_ungrouped_files.sh +++ b/bin/hardening/6.1.12_find_ungrouped_files.sh @@ -21,17 +21,17 @@ GROUP='root' EXCLUDED='' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Checking if there are ungrouped files" - FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) + FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'}) if [ ! -z $EXCLUDED ]; then - RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) + RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) else - RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null) + RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null) fi if [ ! -z "$RESULT" ]; then crit "Some ungrouped files are present" - FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else ok "No ungrouped files found" @@ -39,7 +39,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if [ ! -z $EXCLUDED ]; then RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) else @@ -61,18 +61,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.1.13_find_suid_files.sh b/bin/hardening/6.1.13_find_suid_files.sh index d463eb6..bd86cac 100755 --- a/bin/hardening/6.1.13_find_suid_files.sh +++ b/bin/hardening/6.1.13_find_suid_files.sh @@ -19,18 +19,18 @@ DESCRIPTION="Find SUID system executables." IGNORED_PATH='' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Checking if there are suid files" - FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' ) + FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }') # shellcheck disable=2086 if [ ! -z $IGNORED_PATH ]; then - FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print) + FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print) else - FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print) + FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print) fi BAD_BINARIES="" for BINARY in $FOUND_BINARIES; do - if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then + if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then debug "$BINARY is confirmed as an exception" else BAD_BINARIES="$BAD_BINARIES $BINARY" @@ -38,7 +38,7 @@ audit () { done if [ ! -z "$BAD_BINARIES" ]; then crit "Some suid files are present" - FORMATTED_RESULT=$(sed "s/ /\n/g" <<< "$BAD_BINARIES" | sort | uniq | tr '\n' ' ') + FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else ok "No unknown suid files found" @@ -46,7 +46,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Removing suid on valid binary may seriously harm your system, report only here" } @@ -67,12 +67,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/6.1.14_find_sgid_files.sh b/bin/hardening/6.1.14_find_sgid_files.sh index 8492003..b68970d 100755 --- a/bin/hardening/6.1.14_find_sgid_files.sh +++ b/bin/hardening/6.1.14_find_sgid_files.sh @@ -19,18 +19,18 @@ DESCRIPTION="Find SGID system executables." IGNORED_PATH='' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Checking if there are sgid files" - FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' ) + FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }') # shellcheck disable=2086 if [ ! -z $IGNORED_PATH ]; then - FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print) + FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print) else - FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print) + FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print) fi BAD_BINARIES="" for BINARY in $FOUND_BINARIES; do - if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then + if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then debug "$BINARY is confirmed as an exception" else BAD_BINARIES="$BAD_BINARIES $BINARY" @@ -38,7 +38,7 @@ audit () { done if [ ! -z "$BAD_BINARIES" ]; then crit "Some sgid files are present" - FORMATTED_RESULT=$(sed "s/ /\n/g" <<< "$BAD_BINARIES" | sort | uniq | tr '\n' ' ') + FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else ok "No unknown sgid files found" @@ -46,7 +46,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Removing sgid on valid binary may seriously harm your system, report only here" } @@ -68,12 +68,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/6.1.5_etc_passwd_permissions.sh b/bin/hardening/6.1.5_etc_passwd_permissions.sh index bf1192d..e59ed63 100755 --- a/bin/hardening/6.1.5_etc_passwd_permissions.sh +++ b/bin/hardening/6.1.5_etc_passwd_permissions.sh @@ -23,7 +23,7 @@ USER='root' GROUP='root' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" @@ -39,7 +39,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" @@ -63,18 +63,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.1.6_etc_shadow_permissions.sh b/bin/hardening/6.1.6_etc_shadow_permissions.sh index 3b7f6f1..7a740b0 100755 --- a/bin/hardening/6.1.6_etc_shadow_permissions.sh +++ b/bin/hardening/6.1.6_etc_shadow_permissions.sh @@ -23,7 +23,7 @@ USER='root' GROUP='shadow' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" @@ -39,7 +39,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" @@ -63,18 +63,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.1.7_etc_group_permissions.sh b/bin/hardening/6.1.7_etc_group_permissions.sh index fa93cbd..e720eeb 100755 --- a/bin/hardening/6.1.7_etc_group_permissions.sh +++ b/bin/hardening/6.1.7_etc_group_permissions.sh @@ -23,7 +23,7 @@ USER='root' GROUP='root' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" @@ -39,7 +39,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { has_file_correct_permissions "$FILE" "$PERMISSIONS" if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" @@ -63,18 +63,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.10_check_user_dot_file_perm.sh b/bin/hardening/6.2.10_check_user_dot_file_perm.sh index 270b52d..8a912c5 100755 --- a/bin/hardening/6.2.10_check_user_dot_file_perm.sh +++ b/bin/hardening/6.2.10_check_user_dot_file_perm.sh @@ -20,19 +20,19 @@ DESCRIPTION="Check user dot file permissions." ERRORS=0 # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do - debug "Working on $DIR" + debug "Working on $DIR" for FILE in $DIR/.[A-Za-z0-9]*; do if [ ! -h "$FILE" -a -f "$FILE" ]; then FILEPERM=$(ls -ld $FILE | cut -f1 -d" ") if [ $(echo $FILEPERM | cut -c6) != "-" ]; then crit "Group Write permission set on FILE $FILE" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi if [ $(echo $FILEPERM | cut -c9) != "-" ]; then crit "Other Write permission set on FILE $FILE" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi fi done @@ -44,7 +44,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for FILE in $DIR/.[A-Za-z0-9]*; do if [ ! -h "$FILE" -a -f "$FILE" ]; then @@ -69,18 +69,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.11_find_user_forward_files.sh b/bin/hardening/6.2.11_find_user_forward_files.sh index e9150bb..d00f438 100755 --- a/bin/hardening/6.2.11_find_user_forward_files.sh +++ b/bin/hardening/6.2.11_find_user_forward_files.sh @@ -21,24 +21,24 @@ ERRORS=0 FILENAME='.forward' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do - debug "Working on $DIR" + debug "Working on $DIR" for FILE in $DIR/$FILENAME; do if [ ! -h "$FILE" -a -f "$FILE" ]; then crit "$FILE present" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi done done if [ $ERRORS = 0 ]; then ok "No $FILENAME present in users home directory" - fi + fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "If the audit returns something, please check with the user why he has this file" } @@ -49,18 +49,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.12_find_user_netrc_files.sh b/bin/hardening/6.2.12_find_user_netrc_files.sh index 2c73606..fa5d4c2 100755 --- a/bin/hardening/6.2.12_find_user_netrc_files.sh +++ b/bin/hardening/6.2.12_find_user_netrc_files.sh @@ -21,24 +21,24 @@ ERRORS=0 FILENAME='.netrc' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do - debug "Working on $DIR" + debug "Working on $DIR" for FILE in $DIR/$FILENAME; do if [ ! -h "$FILE" -a -f "$FILE" ]; then crit "$FILE present" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi done done if [ $ERRORS = 0 ]; then ok "No $FILENAME present in users home directory" - fi + fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "If the audit returns something, please check with the user why he has this file" } @@ -49,18 +49,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.13_set_perm_on_user_netrc.sh b/bin/hardening/6.2.13_set_perm_on_user_netrc.sh index 7223481..e1a6852 100755 --- a/bin/hardening/6.2.13_set_perm_on_user_netrc.sh +++ b/bin/hardening/6.2.13_set_perm_on_user_netrc.sh @@ -21,9 +21,9 @@ PERMISSIONS="600" ERRORS=0 # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do - debug "Working on $DIR" + debug "Working on $DIR" for FILE in $DIR/.netrc; do if [ ! -h "$FILE" -a -f "$FILE" ]; then has_file_correct_permissions "$FILE" "$PERMISSIONS" @@ -31,7 +31,7 @@ audit () { ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi fi done @@ -44,9 +44,9 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do - debug "Working on $DIR" + debug "Working on $DIR" for FILE in $DIR/.netrc; do if [ ! -h "$FILE" -a -f "$FILE" ]; then has_file_correct_permissions "$FILE" "$PERMISSIONS" @@ -68,18 +68,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.14_find_user_rhosts_files.sh b/bin/hardening/6.2.14_find_user_rhosts_files.sh index 43fdbdf..333f85b 100755 --- a/bin/hardening/6.2.14_find_user_rhosts_files.sh +++ b/bin/hardening/6.2.14_find_user_rhosts_files.sh @@ -21,24 +21,24 @@ ERRORS=0 FILENAME=".rhosts" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do - debug "Working on $DIR" + debug "Working on $DIR" for FILE in $DIR/$FILENAME; do if [ ! -h "$FILE" -a -f "$FILE" ]; then crit "$FILE present" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi done done if [ $ERRORS = 0 ]; then ok "No $FILENAME present in users home directory" - fi + fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "If the audit returns something, please check with the user why he has this file" } @@ -49,18 +49,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh b/bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh index d96860e..c03aa0a 100755 --- a/bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh +++ b/bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh @@ -20,23 +20,23 @@ DESCRIPTION="There is no group in /etc/passwd that is not in /etc/group." ERRORS=0 # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { - for GROUP in $(cut -s -d: -f4 /etc/passwd | sort -u ); do + for GROUP in $(cut -s -d: -f4 /etc/passwd | sort -u); do debug "Working on group $GROUP" if ! grep -q -P "^.*?:[^:]*:$GROUP:" /etc/group; then crit "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi done if [ $ERRORS = 0 ]; then ok "passwd and group Groups are consistent" - fi + fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Solving passwd and group consistency automatically may seriously harm your system, report only here" } @@ -47,18 +47,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.16_check_duplicate_uid.sh b/bin/hardening/6.2.16_check_duplicate_uid.sh index 4bbac9a..f50aaec 100755 --- a/bin/hardening/6.2.16_check_duplicate_uid.sh +++ b/bin/hardening/6.2.16_check_duplicate_uid.sh @@ -21,13 +21,13 @@ EXCEPTIONS="" ERRORS=0 # This function will be called if the script status is on enabled / audit mode -audit () { - RESULT=$(get_db passwd | cut -f3 -d":" | sort -n | uniq -c | awk '{print $1":"$2}' ) +audit() { + RESULT=$(get_db passwd | cut -f3 -d":" | sort -n | uniq -c | awk '{print $1":"$2}') FOUND_EXCEPTIONS="" for LINE in $RESULT; do debug "Working on line $LINE" - OCC_NUMBER=$(awk -F: '{print $1}' <<< "$LINE") - USERID=$(awk -F: '{print $2}' <<< "$LINE") + OCC_NUMBER=$(awk -F: '{print $1}' <<<"$LINE") + USERID=$(awk -F: '{print $2}' <<<"$LINE") if [ "$OCC_NUMBER" -gt 1 ]; then USERS=$(awk -F: '($3 == n) { print $1 }' n="$USERID" /etc/passwd | xargs) ID_NAMES="($USERID): ${USERS}" @@ -35,7 +35,7 @@ audit () { debug "$USERID is confirmed as an exception" FOUND_EXCEPTIONS="$FOUND_EXCEPTIONS $ID_NAMES" else - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) crit "Duplicate UID $ID_NAMES" fi fi @@ -47,7 +47,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Editing automatically uids may seriously harm your system, report only here" } @@ -69,12 +69,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/6.2.17_check_duplicate_gid.sh b/bin/hardening/6.2.17_check_duplicate_gid.sh index 435bab2..7378f77 100755 --- a/bin/hardening/6.2.17_check_duplicate_gid.sh +++ b/bin/hardening/6.2.17_check_duplicate_gid.sh @@ -20,15 +20,15 @@ DESCRIPTION="Ensure no duplicate GIDs exist" ERRORS=0 # This function will be called if the script status is on enabled / audit mode -audit () { - RESULT=$(get_db group | cut -f3 -d":" | sort -n | uniq -c | awk '{print $1":"$2}' ) +audit() { + RESULT=$(get_db group | cut -f3 -d":" | sort -n | uniq -c | awk '{print $1":"$2}') for LINE in $RESULT; do debug "Working on line $LINE" - OCC_NUMBER=$(awk -F: '{print $1}' <<< "$LINE") - GROUPID=$(awk -F: '{print $2}' <<< "$LINE") + OCC_NUMBER=$(awk -F: '{print $1}' <<<"$LINE") + GROUPID=$(awk -F: '{print $2}' <<<"$LINE") if [ "$OCC_NUMBER" -gt 1 ]; then GROUP=$(awk -F: '($3 == n) { print $1 }' n="$GROUPID" /etc/group | xargs) - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) crit "Duplicate GID ($GROUPID): ${GROUP}" fi done @@ -39,7 +39,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Editing automatically gids may seriously harm your system, report only here" } @@ -50,12 +50,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/6.2.18_check_duplicate_username.sh b/bin/hardening/6.2.18_check_duplicate_username.sh index c4aad03..8d1304c 100755 --- a/bin/hardening/6.2.18_check_duplicate_username.sh +++ b/bin/hardening/6.2.18_check_duplicate_username.sh @@ -20,26 +20,26 @@ DESCRIPTION="There is no duplicate usernames." ERRORS=0 # This function will be called if the script status is on enabled / audit mode -audit () { - RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) - for LINE in $RESULT; do +audit() { + RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'}) + for LINE in $RESULT; do debug "Working on line $LINE" - OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) - USERNAME=$(awk -F: {'print $2'} <<< $LINE) + OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE) + USERNAME=$(awk -F: {'print $2'} <<<$LINE) if [ $OCC_NUMBER -gt 1 ]; then USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs) - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) crit "Duplicate username $USERNAME" fi - done + done if [ $ERRORS = 0 ]; then ok "No duplicate usernames" - fi + fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Editing automatically username may seriously harm your system, report only here" } @@ -50,18 +50,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.19_check_duplicate_groupname.sh b/bin/hardening/6.2.19_check_duplicate_groupname.sh index 33c4542..5398971 100755 --- a/bin/hardening/6.2.19_check_duplicate_groupname.sh +++ b/bin/hardening/6.2.19_check_duplicate_groupname.sh @@ -20,26 +20,26 @@ DESCRIPTION="There is no duplicate group names." ERRORS=0 # This function will be called if the script status is on enabled / audit mode -audit () { - RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) - for LINE in $RESULT; do +audit() { + RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'}) + for LINE in $RESULT; do debug "Working on line $LINE" - OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) - GROUPNAME=$(awk -F: {'print $2'} <<< $LINE) + OCC_NUMBER=$(awk -F: {'print $1'} <<<$LINE) + GROUPNAME=$(awk -F: {'print $2'} <<<$LINE) if [ $OCC_NUMBER -gt 1 ]; then USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs) - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) crit "Duplicate groupname $GROUPNAME" fi - done + done if [ $ERRORS = 0 ]; then ok "No duplicate groupnames" - fi + fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Editing automatically groupname may seriously harm your system, report only here" } @@ -50,18 +50,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.1_remove_empty_password_field.sh b/bin/hardening/6.2.1_remove_empty_password_field.sh index 2e222b2..acf64a6 100755 --- a/bin/hardening/6.2.1_remove_empty_password_field.sh +++ b/bin/hardening/6.2.1_remove_empty_password_field.sh @@ -17,9 +17,8 @@ HARDENING_LEVEL=1 # shellcheck disable=2034 DESCRIPTION="Ensure password fields are not empty in /etc/shadow." - # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Checking if accounts have an empty password" RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }') if [ ! -z "$RESULT" ]; then @@ -31,7 +30,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }') if [ ! -z "$RESULT" ]; then warn "Some accounts have an empty password" @@ -51,18 +50,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.20_shadow_group_empty.sh b/bin/hardening/6.2.20_shadow_group_empty.sh index 1606f4f..67c7dfc 100755 --- a/bin/hardening/6.2.20_shadow_group_empty.sh +++ b/bin/hardening/6.2.20_shadow_group_empty.sh @@ -22,7 +22,7 @@ FILEGROUP='/etc/group' PATTERN='^shadow:x:[[:digit:]]+:' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { does_pattern_exist_in_file $FILEGROUP $PATTERN if [ "$FNRET" = 0 ]; then info "shadow group exists" @@ -48,7 +48,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Editing automatically users/groups may seriously harm your system, report only here" } @@ -59,18 +59,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.2_remove_legacy_passwd_entries.sh b/bin/hardening/6.2.2_remove_legacy_passwd_entries.sh index 44063ad..d388b72 100755 --- a/bin/hardening/6.2.2_remove_legacy_passwd_entries.sh +++ b/bin/hardening/6.2.2_remove_legacy_passwd_entries.sh @@ -21,7 +21,7 @@ FILE='/etc/passwd' RESULT='' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Checking if accounts have a legacy password entry" if grep '^+:' $FILE -q; then RESULT=$(grep '^+:' $FILE) @@ -33,7 +33,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if grep '^+:' $FILE -q; then RESULT=$(grep '^+:' $FILE) warn "Some accounts have a legacy password entry" @@ -53,18 +53,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh b/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh index 7a5b2ae..9d96b86 100755 --- a/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh +++ b/bin/hardening/6.2.3_remove_legacy_shadow_entries.sh @@ -21,7 +21,7 @@ FILE='/etc/shadow' RESULT='' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Checking if accounts have a legacy password entry" if $SUDO_CMD grep '^+:' $FILE -q; then RESULT=$($SUDO_CMD grep '^+:' $FILE) @@ -33,7 +33,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if grep '^+:' $FILE -q; then RESULT=$(grep '^+:' $FILE) warn "Some accounts have a legacy password entry" @@ -53,18 +53,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.4_remove_legacy_group_entries.sh b/bin/hardening/6.2.4_remove_legacy_group_entries.sh index f16a625..697de06 100755 --- a/bin/hardening/6.2.4_remove_legacy_group_entries.sh +++ b/bin/hardening/6.2.4_remove_legacy_group_entries.sh @@ -21,7 +21,7 @@ FILE='/etc/group' RESULT='' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Checking if accounts have a legacy group entry" if grep '^+:' $FILE -q; then RESULT=$(grep '^+:' $FILE) @@ -33,7 +33,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { if grep '^+:' $FILE -q; then RESULT=$(grep '^+:' $FILE) warn "Some accounts have a legacy group entry" @@ -53,18 +53,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.5_find_0_uid_non_root_account.sh b/bin/hardening/6.2.5_find_0_uid_non_root_account.sh index e0e4b98..93eba10 100755 --- a/bin/hardening/6.2.5_find_0_uid_non_root_account.sh +++ b/bin/hardening/6.2.5_find_0_uid_non_root_account.sh @@ -24,9 +24,9 @@ FILE='/etc/passwd' RESULT='' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { info "Checking if accounts have uid 0" - RESULT=$(awk -F: '($3 == 0 && $1!="root" ) { print $1 }' "$FILE" ) + RESULT=$(awk -F: '($3 == 0 && $1!="root" ) { print $1 }' "$FILE") FOUND_EXCEPTIONS="" for ACCOUNT in $RESULT; do debug "Account : $ACCOUNT" @@ -34,21 +34,21 @@ audit () { debug "echo \"$EXCEPTIONS\" | grep -qw $ACCOUNT" if echo "$EXCEPTIONS" | grep -qw "$ACCOUNT"; then debug "$ACCOUNT is confirmed as an exception" - RESULT=$(sed "s!$ACCOUNT!!" <<< "$RESULT") + RESULT=$(sed "s!$ACCOUNT!!" <<<"$RESULT") FOUND_EXCEPTIONS="$FOUND_EXCEPTIONS $ACCOUNT" else debug "$ACCOUNT not found in exceptions" fi done if [ ! -z "$RESULT" ]; then - crit "Some accounts have uid 0: $(tr '\n' ' ' <<< "$RESULT")" + crit "Some accounts have uid 0: $(tr '\n' ' ' <<<"$RESULT")" else ok "No account with uid 0 appart from root ${FOUND_EXCEPTIONS:+and configured exceptions:}$FOUND_EXCEPTIONS" fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Removing accounts with uid 0 may seriously harm your system, report only here" } @@ -70,12 +70,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/6.2.6_sanitize_root_path.sh b/bin/hardening/6.2.6_sanitize_root_path.sh index 0ac0523..4adc692 100755 --- a/bin/hardening/6.2.6_sanitize_root_path.sh +++ b/bin/hardening/6.2.6_sanitize_root_path.sh @@ -11,7 +11,7 @@ # set path to the $PATH environnement variable if path is not defined # used in test -[[ $path && ${path-x} ]] || path=$PATH +[[ $path && ${path-x} ]] || path=$PATH set -e # One error, it's over set -u # One variable unset, it's over @@ -24,40 +24,40 @@ DESCRIPTION="Ensure root path integrity." ERRORS=0 # This function will be called if the script status is on enabled / audit mode -audit () { - if [ "`echo $path | grep :: `" != "" ]; then +audit() { + if [ "$(echo $path | grep ::)" != "" ]; then crit "Empty Directory in PATH (::)" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi - if [ "`echo $path | grep :$`" != "" ]; then + if [ "$(echo $path | grep :$)" != "" ]; then crit "Trailing : in PATH $path" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi FORMATTED_PATH=$(echo $path | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g') set -- $FORMATTED_PATH while [ "${1:-}" != "" ]; do if [ "$1" = "." ]; then crit "PATH contains ." - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) else if [ -d $1 ]; then dirperm=$(ls -ldH $1 | cut -f1 -d" ") - if [ $(echo $dirperm | cut -c6 ) != "-" ]; then + if [ $(echo $dirperm | cut -c6) != "-" ]; then crit "Group Write permission set on directory $1" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi - if [ $(echo $dirperm | cut -c9 ) != "-" ]; then + if [ $(echo $dirperm | cut -c9) != "-" ]; then crit "Other Write permission set on directory $1" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi dirown=$(ls -ldH $1 | awk '{print $3}') - if [ "$dirown" != "root" ] ; then + if [ "$dirown" != "root" ]; then crit "$1 is not owned by root" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi else crit "$1 is not a directory" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi fi shift @@ -69,7 +69,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Editing items from PATH may seriously harm your system, report only here" } @@ -80,18 +80,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.7_users_valid_homedir.sh b/bin/hardening/6.2.7_users_valid_homedir.sh index 113fb14..0b9a2ba 100755 --- a/bin/hardening/6.2.7_users_valid_homedir.sh +++ b/bin/hardening/6.2.7_users_valid_homedir.sh @@ -20,26 +20,26 @@ DESCRIPTION="Users are assigned valid home directories." ERRORS=0 # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') - for LINE in $RESULT; do + for LINE in $RESULT; do debug "Working on $LINE" - USER=$(awk -F: {'print $1'} <<< $LINE) - USERID=$(awk -F: {'print $2'} <<< $LINE) - DIR=$(awk -F: {'print $3'} <<< $LINE) + USER=$(awk -F: {'print $1'} <<<$LINE) + USERID=$(awk -F: {'print $2'} <<<$LINE) + DIR=$(awk -F: {'print $3'} <<<$LINE) if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" -a "$DIR" != "/nonexistent" ]; then crit "The home directory ($DIR) of user $USER does not exist." - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi done if [ $ERRORS = 0 ]; then ok "All home directories exists" - fi + fi } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Modifying home directories may seriously harm your system, report only here" } @@ -50,18 +50,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.8_check_user_dir_perm.sh b/bin/hardening/6.2.8_check_user_dir_perm.sh index 16477c3..e4779eb 100755 --- a/bin/hardening/6.2.8_check_user_dir_perm.sh +++ b/bin/hardening/6.2.8_check_user_dir_perm.sh @@ -20,34 +20,34 @@ DESCRIPTION="Check permissions on user home directories." ERRORS=0 # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { for dir in $(get_db passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do debug "Working on $dir" debug "Exceptions : $EXCEPTIONS" debug "echo \"$EXCEPTIONS\" | grep -q $dir" if echo "$EXCEPTIONS" | grep -q $dir; then debug "$dir is confirmed as an exception" - RESULT=$(sed "s!$dir!!" <<< "$RESULT") + RESULT=$(sed "s!$dir!!" <<<"$RESULT") else debug "$dir not found in exceptions" fi if [ -d $dir ]; then dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ") - if [ $(echo $dirperm | cut -c6 ) != "-" ]; then + if [ $(echo $dirperm | cut -c6) != "-" ]; then crit "Group Write permission set on directory $dir" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi - if [ $(echo $dirperm | cut -c8 ) != "-" ]; then + if [ $(echo $dirperm | cut -c8) != "-" ]; then crit "Other Read permission set on directory $dir" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi - if [ $(echo $dirperm | cut -c9 ) != "-" ]; then + if [ $(echo $dirperm | cut -c9) != "-" ]; then crit "Other Write permission set on directory $dir" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi - if [ $(echo $dirperm | cut -c10 ) != "-" ]; then + if [ $(echo $dirperm | cut -c10) != "-" ]; then crit "Other Execute permission set on directory $dir" - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi fi done @@ -59,33 +59,33 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { for dir in $(get_db passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do debug "Working on $dir" debug "Exceptions : $EXCEPTIONS" debug "echo \"$EXCEPTIONS\" | grep -q $dir" if echo "$EXCEPTIONS" | grep -q $dir; then debug "$dir is confirmed as an exception" - RESULT=$(sed "s!$dir!!" <<< "$RESULT") + RESULT=$(sed "s!$dir!!" <<<"$RESULT") else debug "$dir not found in exceptions" fi if [ -d $dir ]; then dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ") - if [ $(echo $dirperm | cut -c6 ) != "-" ]; then + if [ $(echo $dirperm | cut -c6) != "-" ]; then warn "Group Write permission set on directory $dir" chmod g-w $dir fi - if [ $(echo $dirperm | cut -c8 ) != "-" ]; then + if [ $(echo $dirperm | cut -c8) != "-" ]; then warn "Other Read permission set on directory $dir" chmod o-r $dir fi - if [ $(echo $dirperm | cut -c9 ) != "-" ]; then + if [ $(echo $dirperm | cut -c9) != "-" ]; then warn "Other Write permission set on directory $dir" chmod o-w $dir fi - if [ $(echo $dirperm | cut -c10 ) != "-" ]; then - warn "Other Execute permission set on directory $dir" + if [ $(echo $dirperm | cut -c10) != "-" ]; then + warn "Other Execute permission set on directory $dir" chmod o-x $dir fi fi @@ -110,18 +110,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/6.2.9_users_valid_homedir.sh b/bin/hardening/6.2.9_users_valid_homedir.sh index 1b6edb1..1128290 100755 --- a/bin/hardening/6.2.9_users_valid_homedir.sh +++ b/bin/hardening/6.2.9_users_valid_homedir.sh @@ -22,17 +22,17 @@ EXCEPTIONS="" ERRORS=0 # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { debug "Checking homedir exists" RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') for LINE in $RESULT; do debug "Working on $LINE" - USER=$(awk -F: {'print $1'} <<< $LINE) - USERID=$(awk -F: {'print $2'} <<< $LINE) - DIR=$(awk -F: {'print $3'} <<< $LINE) + USER=$(awk -F: {'print $1'} <<<$LINE) + USERID=$(awk -F: {'print $2'} <<<$LINE) + DIR=$(awk -F: {'print $3'} <<<$LINE) if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" -a "$DIR" != "/nonexistent" ]; then crit "The home directory ($DIR) of user $USER does not exist." - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi done @@ -40,12 +40,12 @@ audit () { ok "All home directories exists" fi debug "Checking homedir ownership" - RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd ) + RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd) for LINE in $RESULT; do debug "Working on $LINE" - USER=$(awk -F: '{print $1}' <<< "$LINE") - USERID=$(awk -F: '{print $2}' <<< "$LINE") - DIR=$(awk -F: '{print $3}' <<< "$LINE") + USER=$(awk -F: '{print $1}' <<<"$LINE") + USERID=$(awk -F: '{print $2}' <<<"$LINE") + DIR=$(awk -F: '{print $3}' <<<"$LINE") if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then OWNER=$(stat -L -c "%U" "$DIR") if [ "$OWNER" != "$USER" ]; then @@ -59,7 +59,7 @@ audit () { done if [ "$EXCEP_FOUND" -eq 0 ]; then crit "The home directory ($DIR) of user $USER is owned by $OWNER." - ERRORS=$((ERRORS+1)) + ERRORS=$((ERRORS + 1)) fi fi fi @@ -71,7 +71,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { info "Modifying home directories may seriously harm your system, report only here" } @@ -82,18 +82,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/8.0_enable_auditd_kernel.sh b/bin/hardening/8.0_enable_auditd_kernel.sh index db488cb..447b0bc 100755 --- a/bin/hardening/8.0_enable_auditd_kernel.sh +++ b/bin/hardening/8.0_enable_auditd_kernel.sh @@ -21,9 +21,8 @@ DESCRIPTION="Ensure CONFIG_AUDIT is enabled in your running kernel." KERNEL_OPTION="CONFIG_AUDIT" - # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_kernel_option_enabled "$KERNEL_OPTION" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated ok "$KERNEL_OPTION is enabled" @@ -34,7 +33,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_kernel_option_enabled "$KERNEL_OPTION" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated ok "$KERNEL_OPTION is enabled" @@ -51,18 +50,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/8.3.1_install_tripwire.sh b/bin/hardening/8.3.1_install_tripwire.sh index a54081c..d617072 100755 --- a/bin/hardening/8.3.1_install_tripwire.sh +++ b/bin/hardening/8.3.1_install_tripwire.sh @@ -21,7 +21,7 @@ DESCRIPTION="Ensure tripwire package is installed." PACKAGE='tripwire' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -31,15 +31,15 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { - is_pkg_installed "$PACKAGE" - if [ "$FNRET" = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE - info "Tripwire is now installed but not fully functionnal, please see readme to go further" - fi +apply() { + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + info "Tripwire is now installed but not fully functionnal, please see readme to go further" + fi } # This function will check config parameters required @@ -49,18 +49,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.sh + # shellcheck source=../../lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/8.3.2_tripwire_cron.sh b/bin/hardening/8.3.2_tripwire_cron.sh index a93f79a..339cca0 100755 --- a/bin/hardening/8.3.2_tripwire_cron.sh +++ b/bin/hardening/8.3.2_tripwire_cron.sh @@ -22,7 +22,7 @@ DIRECTORY="/etc/cron.d" PATTERN='tripwire --check' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { FILES="$FILES $($SUDO_CMD find $DIRECTORY -type f)" FOUND=0 for FILE in $FILES; do @@ -39,7 +39,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { FILES="$FILES $($SUDO_CMD find $DIRECTORY -type f)" FOUND=0 for FILE in $FILES; do @@ -50,7 +50,7 @@ apply () { done if [ "$FOUND" != 1 ]; then warn "$PATTERN is not present in $FILES, setting tripwire cron" - echo "0 10 * * * root /usr/sbin/tripwire --check > /dev/shm/tripwire_check 2>&1 " > /etc/cron.d/CIS_8.3.2_tripwire + echo "0 10 * * * root /usr/sbin/tripwire --check > /dev/shm/tripwire_check 2>&1 " >/etc/cron.d/CIS_8.3.2_tripwire else ok "$PATTERN is present in $FILES" fi @@ -63,12 +63,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/99.1_timeout_tty.sh b/bin/hardening/99.1_timeout_tty.sh index 483d554..7ba9cd0 100755 --- a/bin/hardening/99.1_timeout_tty.sh +++ b/bin/hardening/99.1_timeout_tty.sh @@ -23,7 +23,7 @@ FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile' FILE='/etc/profile.d/CIS_99.1_timeout.sh' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { SEARCH_RES=0 for FILE_SEARCHED in $FILES_TO_SEARCH; do if [ $SEARCH_RES = 1 ]; then break; fi @@ -56,7 +56,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { SEARCH_RES=0 for FILE_SEARCHED in $FILES_TO_SEARCH; do if [ $SEARCH_RES = 1 ]; then break; fi @@ -102,12 +102,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/99.2_disable_usb_devices.sh b/bin/hardening/99.2_disable_usb_devices.sh index 5548aa2..56e045a 100755 --- a/bin/hardening/99.2_disable_usb_devices.sh +++ b/bin/hardening/99.2_disable_usb_devices.sh @@ -21,13 +21,13 @@ FILES_TO_SEARCH='/etc/udev/rules.d' FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { SEARCH_RES=0 for FILE_SEARCHED in $FILES_TO_SEARCH; do if [ $SEARCH_RES = 1 ]; then break; fi if $SUDO_CMD test -d $FILE_SEARCHED; then debug "$FILE_SEARCHED is a directory" - for file_in_dir in $( $SUDO_CMD ls $FILE_SEARCHED); do + for file_in_dir in $($SUDO_CMD ls $FILE_SEARCHED); do does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" if [ "$FNRET" != 0 ]; then debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" @@ -53,7 +53,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { SEARCH_RES=0 for FILE_SEARCHED in $FILES_TO_SEARCH; do if [ $SEARCH_RES = 1 ]; then break; fi @@ -106,18 +106,18 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then -# shellcheck source=../../lib/main.h + # shellcheck source=../../lib/main.h . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" diff --git a/bin/hardening/99.3.1_acc_shadow_sha512.sh b/bin/hardening/99.3.1_acc_shadow_sha512.sh index 47e9e0c..df2f5f9 100755 --- a/bin/hardening/99.3.1_acc_shadow_sha512.sh +++ b/bin/hardening/99.3.1_acc_shadow_sha512.sh @@ -16,10 +16,9 @@ set -u # One variable unset, it's over DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted" FILE="/etc/shadow" - # This function will be called if the script status is on enabled / audit mode -audit () { -# Review shadow file for existing passwords +audit() { + # Review shadow file for existing passwords pw_found="" users_reviewed="" if $SUDO_CMD [ ! -r "$FILE" ]; then @@ -54,7 +53,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -65,12 +64,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/99.3.2_acc_sudoers_no_all.sh b/bin/hardening/99.3.2_acc_sudoers_no_all.sh index b07d0f8..4438895 100755 --- a/bin/hardening/99.3.2_acc_sudoers_no_all.sh +++ b/bin/hardening/99.3.2_acc_sudoers_no_all.sh @@ -23,7 +23,7 @@ REGEX="ALL = \( ALL( : ALL)? \)( NOPASSWD:)? ALL" EXCEPT="" # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { FILES="" if $SUDO_CMD [ ! -r "$FILE" ]; then crit "$FILE is not readable" @@ -35,20 +35,20 @@ audit () { elif $SUDO_CMD [ ! -x "$DIRECTORY" ]; then crit "Cannot browse $DIRECTORY" else - FILES="$FILES $($SUDO_CMD ls -1 $DIRECTORY | sed s=^=$DIRECTORY/= )" + FILES="$FILES $($SUDO_CMD ls -1 $DIRECTORY | sed s=^=$DIRECTORY/=)" fi for file in $FILES; do if $SUDO_CMD [ ! -r "$file" ]; then crit "$file is not readable" else # shellcheck disable=2001 - if ! $SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" &> /dev/null ; then - ok "There is no carte-blanche sudo permission in $file" + if ! $SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" &>/dev/null; then + ok "There is no carte-blanche sudo permission in $file" else # shellcheck disable=2001 - RET=$($SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" | sed 's/\t/#/g;s/ /#/g' ) + RET=$($SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" | sed 's/\t/#/g;s/ /#/g') for line in $RET; do - if grep -q "$(echo "$line" | cut -d '#' -f 1)" <<< "$EXCEPT" ; then + if grep -q "$(echo "$line" | cut -d '#' -f 1)" <<<"$EXCEPT"; then # shellcheck disable=2001 ok "$(echo "$line" | sed 's/#/ /g') is present in $file but was EXCUSED because $(echo "$line" | cut -d '#' -f 1) is part of exceptions." continue @@ -63,7 +63,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -82,12 +82,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/99.3.4_acc_logindefs_sha512.sh b/bin/hardening/99.3.4_acc_logindefs_sha512.sh index 7f7d6cc..d4995ac 100755 --- a/bin/hardening/99.3.4_acc_logindefs_sha512.sh +++ b/bin/hardening/99.3.4_acc_logindefs_sha512.sh @@ -19,8 +19,8 @@ CONF_FILE="/etc/login.defs" CONF_LINE="ENCRYPT_METHOD SHA512" # This function will be called if the script status is on enabled / audit mode -audit () { -# Check conf file for default SHA512 hash +audit() { + # Check conf file for default SHA512 hash if $SUDO_CMD [ ! -r $CONF_FILE ]; then crit "$CONF_FILE is not readable" else @@ -34,7 +34,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { does_pattern_exist_in_file $CONF_FILE "^ *${CONF_LINE/ /[[:space:]]+}" if [ "$FNRET" = 0 ]; then ok "$CONF_LINE is present in $CONF_FILE" @@ -47,7 +47,7 @@ apply () { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE" fi - /etc/init.d/ssh reload > /dev/null 2>&1 + /etc/init.d/ssh reload >/dev/null 2>&1 fi } @@ -58,12 +58,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi @@ -75,4 +75,3 @@ else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 fi - diff --git a/bin/hardening/99.5.1_ssh_auth_pubk_only.sh b/bin/hardening/99.5.1_ssh_auth_pubk_only.sh index b868897..2f83342 100755 --- a/bin/hardening/99.5.1_ssh_auth_pubk_only.sh +++ b/bin/hardening/99.5.1_ssh_auth_pubk_only.sh @@ -22,7 +22,7 @@ FILE='/etc/ssh/sshd_config' OPTIONS='PubkeyAuthentication=yes PasswordAuthentication=no KbdInteractiveAuthentication=no KerberosAuthentication=no ChallengeResponseAuthentication=no HostbasedAuthentication=no GSSAPIAuthentication=no GSSAPIKeyExchange=no ' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -43,7 +43,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" @@ -52,23 +52,23 @@ apply () { apt_install $PACKAGE fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) - SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]+$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]+$SSH_VALUE" + does_pattern_exist_in_file_nocase $FILE "$PATTERN" + if [ "$FNRET" = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" + if [ "$FNRET" != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" - if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]+.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload > /dev/null 2>&1 + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]+.*" "$SSH_PARAM $SSH_VALUE" fi + /etc/init.d/ssh reload >/dev/null 2>&1 + fi done } @@ -79,12 +79,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh b/bin/hardening/99.5.2.3_ssh_cry_rekey.sh index dedda04..f9a6277 100755 --- a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh +++ b/bin/hardening/99.5.2.3_ssh_cry_rekey.sh @@ -23,7 +23,7 @@ OPTIONS='RekeyLimit=512M\s+6h' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { get_debian_major_version set +u debug "Debian version : $DEB_MAJ_VER " @@ -58,7 +58,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" @@ -67,24 +67,24 @@ apply () { apt_install $PACKAGE fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file_nocase $FILE "$PATTERN" + if [ "$FNRET" = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" + if [ "$FNRET" != 0 ]; then + SSH_VALUE=$(sed 's/\\s+/ /' <<<"$SSH_VALUE") + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" - if [ "$FNRET" != 0 ]; then - SSH_VALUE=$(sed 's/\\s+/ /' <<< "$SSH_VALUE") - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload > /dev/null 2>&1 + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi + /etc/init.d/ssh reload >/dev/null 2>&1 + fi done } @@ -96,12 +96,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/99.5.3_ssh_disable_features.sh b/bin/hardening/99.5.3_ssh_disable_features.sh index 3caf400..86104c6 100755 --- a/bin/hardening/99.5.3_ssh_disable_features.sh +++ b/bin/hardening/99.5.3_ssh_disable_features.sh @@ -21,7 +21,7 @@ FILE='/etc/ssh/sshd_config' OPTIONS='AllowAgentForwarding=no AllowTcpForwarding=no AllowStreamLocalForwarding=no PermitTunnel=no PermitUserRC=no GatewayPorts=no' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -42,7 +42,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" @@ -51,23 +51,23 @@ apply () { apt_install $PACKAGE fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) - SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" + SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) + SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file_nocase $FILE "$PATTERN" + if [ "$FNRET" = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" + if [ "$FNRET" != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" - if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload > /dev/null 2>&1 + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi + /etc/init.d/ssh reload >/dev/null 2>&1 + fi done } @@ -79,12 +79,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/99.5.4_ssh_keys_from.sh b/bin/hardening/99.5.4_ssh_keys_from.sh index 15fd6f2..9abbf98 100755 --- a/bin/hardening/99.5.4_ssh_keys_from.sh +++ b/bin/hardening/99.5.4_ssh_keys_from.sh @@ -32,17 +32,17 @@ ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin" check_ip() { file=$1 if [ -z "$ALLOWED_IPS" ]; then - warn "No allowed IPs to treat"; - return ; + warn "No allowed IPs to treat" + return fi - for line in $($SUDO_CMD grep -noP "$REGEX_FROM_IP" "$file" | tr -s " " | sed 's/ /_/g' ); do + for line in $($SUDO_CMD grep -noP "$REGEX_FROM_IP" "$file" | tr -s " " | sed 's/ /_/g'); do linum=$(echo "$line" | cut -d ':' -f 1) ips=$(echo "$line" | cut -d '"' -f 2 | tr ',' ' ') ok_ips_allowed="" bad_ips="" for ip in $ips; do - ip_escaped=$(sed 's/\./\\./g' <<< "$ip") - if grep -qw "$ip_escaped" <<< $ALLOWED_IPS ; then + ip_escaped=$(sed 's/\./\\./g' <<<"$ip") + if grep -qw "$ip_escaped" <<<$ALLOWED_IPS; then debug "Line $linum of $file allows access from exused IP (${ip})." ok_ips_allowed+="$ip " else @@ -50,8 +50,8 @@ check_ip() { bad_ips+="$ip " fi done - ok_ips=$( sed 's/ $//' <<< "${ok_ips_allowed}") - bad_ips=$( sed 's/ $//' <<< "${bad_ips}") + ok_ips=$(sed 's/ $//' <<<"${ok_ips_allowed}") + bad_ips=$(sed 's/ $//' <<<"${bad_ips}") if [[ -z $bad_ips ]]; then if [[ ! -z $ok_ips ]]; then ok "Line $linum of $file allows ssh access only from allowed IPs ($ok_ips)." @@ -67,12 +67,15 @@ check_ip() { check_file() { file=$1 - if $SUDO_CMD [ ! -e "$file" ]; then debug "$file does not exist"; return; fi + if $SUDO_CMD [ ! -e "$file" ]; then + debug "$file does not exist" + return + fi if $SUDO_CMD [ -r "$file" ]; then debug "Treating $file" FOUND_AUTHKF=1 - if $SUDO_CMD grep -vqP "$REGEX_OK_LINES" "${file}" ; then - bad_lines="$($SUDO_CMD grep -vnP "$REGEX_OK_LINES" "${file}" | cut -d ':' -f 1 | tr '\n' ' ' | sed 's/ $//' )" + if $SUDO_CMD grep -vqP "$REGEX_OK_LINES" "${file}"; then + bad_lines="$($SUDO_CMD grep -vnP "$REGEX_OK_LINES" "${file}" | cut -d ':' -f 1 | tr '\n' ' ' | sed 's/ $//')" crit "There are anywhere access keys in ${file} at lines (${bad_lines})." else ok "File ${file} is cleared from anywhere access keys." @@ -95,12 +98,12 @@ check_dir() { } # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { # Retrieve authorized_key file pattern from sshd_config if $SUDO_CMD [ ! -r /etc/ssh/sshd_config ]; then crit "/etc/ssh/sshd_config is not readable." else - ret=$($SUDO_CMD grep -iP "^AuthorizedKeysFile" /etc/ssh/sshd_config || echo '#KO' ) + ret=$($SUDO_CMD grep -iP "^AuthorizedKeysFile" /etc/ssh/sshd_config || echo '#KO') if [ "x$ret" = "x#KO" ]; then debug "No AuthorizedKeysFile defined in sshd_config." else @@ -109,7 +112,7 @@ audit () { fi fi - if [ -z "$AUTHKEYFILE_PATTERN" ] ; then + if [ -z "$AUTHKEYFILE_PATTERN" ]; then AUTHKEYFILE_PATTERN=$AUTHKEYFILE_PATTERN_DEFAULT debug "Set default pattern for authorized_keys file." fi @@ -124,11 +127,11 @@ audit () { for user in $USERS_TO_CHECK; do # Checking if at least one AuthKeyFile has been found for this user FOUND_AUTHKF=0 - shell=$(getent passwd "$user" | cut -d ':' -f 7); - if grep -q "$shell" <<< "$ALLOWED_NOLOGIN_SHELLS" ; then + shell=$(getent passwd "$user" | cut -d ':' -f 7) + if grep -q "$shell" <<<"$ALLOWED_NOLOGIN_SHELLS"; then continue else - info "User $user has a valid shell ($shell)."; + info "User $user has a valid shell ($shell)." if [ "x$user" = "xroot" ] && [ "$user" != "$EXCEPTION_USER" ]; then check_dir /root continue @@ -146,7 +149,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -167,12 +170,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/99.5.5_ssh_strict_modes.sh b/bin/hardening/99.5.5_ssh_strict_modes.sh index 7ed703b..7ecc148 100755 --- a/bin/hardening/99.5.5_ssh_strict_modes.sh +++ b/bin/hardening/99.5.5_ssh_strict_modes.sh @@ -20,7 +20,7 @@ OPTIONS='StrictModes=yes' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -41,7 +41,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" @@ -50,23 +50,23 @@ apply () { apt_install $PACKAGE fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file_nocase $FILE "$PATTERN" + if [ "$FNRET" = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" + if [ "$FNRET" != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" - if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload > /dev/null 2>&1 + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi + /etc/init.d/ssh reload >/dev/null 2>&1 + fi done } @@ -78,12 +78,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/99.5.6_ssh_sys_accept_env.sh b/bin/hardening/99.5.6_ssh_sys_accept_env.sh index 31be884..5c06c57 100755 --- a/bin/hardening/99.5.6_ssh_sys_accept_env.sh +++ b/bin/hardening/99.5.6_ssh_sys_accept_env.sh @@ -22,7 +22,7 @@ PATTERN='^\s*AcceptEnv\s+LANG LC_\*' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -38,7 +38,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" @@ -52,14 +52,14 @@ apply () { else warn "$PATTERN is not present in $FILE, adding it" does_pattern_exist_in_file_nocase $FILE "^$PATTERN" - PATTERN=$( sed 's/\^//' <<< "$PATTERN" | sed -r 's/\\s\*//' | sed -r 's/\\s\+/ /g' | sed 's/\\//g') + PATTERN=$(sed 's/\^//' <<<"$PATTERN" | sed -r 's/\\s\*//' | sed -r 's/\\s\+/ /g' | sed 's/\\//g') if [ "$FNRET" != 0 ]; then add_end_of_file $FILE "$PATTERN" else info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$PATTERN" fi - /etc/init.d/ssh reload > /dev/null 2>&1 + /etc/init.d/ssh reload >/dev/null 2>&1 fi } @@ -70,12 +70,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/99.5.7_ssh_sys_no_legacy.sh b/bin/hardening/99.5.7_ssh_sys_no_legacy.sh index eaebfe1..38510bc 100755 --- a/bin/hardening/99.5.7_ssh_sys_no_legacy.sh +++ b/bin/hardening/99.5.7_ssh_sys_no_legacy.sh @@ -16,9 +16,8 @@ DESCRIPTION="Ensure that legacy services rlogin, rlogind and rcp are disabled an SERVICES="rlogin rlogind rcp" # This function will be called if the script status is on enabled / audit mode -audit () { - for SERVICE in $SERVICES - do +audit() { + for SERVICE in $SERVICES; do info "Checking if $SERVICE is enabled and installed" is_service_enabled "$SERVICE" if [ "$FNRET" != 0 ]; then @@ -36,11 +35,10 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } - # This function will check config parameters required check_config() { : @@ -48,15 +46,14 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment, cannot source CIS_ROOT_DIR variable, aborting" + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment, cannot source CIS_ROOT_DIR variable, aborting" exit 128 fi - # Main function, will call the proper functions given the configuration (audit, enabled, disabled) if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then # shellcheck source=../../lib/main.sh diff --git a/bin/hardening/99.5.8_ssh_sys_sandbox.sh b/bin/hardening/99.5.8_ssh_sys_sandbox.sh index 07cf929..b4d994a 100755 --- a/bin/hardening/99.5.8_ssh_sys_sandbox.sh +++ b/bin/hardening/99.5.8_ssh_sys_sandbox.sh @@ -22,7 +22,7 @@ OPTIONS='UsePrivilegeSeparation=sandbox' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -42,9 +42,8 @@ audit () { fi } - # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" @@ -53,23 +52,23 @@ apply () { apt_install $PACKAGE fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file_nocase $FILE "$PATTERN" + if [ "$FNRET" = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" + if [ "$FNRET" != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" - if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload > /dev/null 2>&1 + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi + /etc/init.d/ssh reload >/dev/null 2>&1 + fi done } @@ -80,12 +79,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/99.5.9_ssh_loglevel.sh b/bin/hardening/99.5.9_ssh_loglevel.sh index f119095..1d33b22 100755 --- a/bin/hardening/99.5.9_ssh_loglevel.sh +++ b/bin/hardening/99.5.9_ssh_loglevel.sh @@ -22,7 +22,7 @@ OPTIONS='LogLevel=VERBOSE' FILE='/etc/ssh/sshd_config' # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { is_pkg_installed "$PACKAGE" if [ "$FNRET" != 0 ]; then crit "$PACKAGE is not installed!" @@ -43,7 +43,7 @@ audit () { } # This function will be called if the script status is on enabled mode -apply () { +apply() { is_pkg_installed "$PACKAGE" if [ "$FNRET" = 0 ]; then ok "$PACKAGE is installed" @@ -52,23 +52,23 @@ apply () { apt_install $PACKAGE fi for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase $FILE "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exist_in_file_nocase $FILE "$PATTERN" + if [ "$FNRET" = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" + if [ "$FNRET" != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase $FILE "^$SSH_PARAM" - if [ "$FNRET" != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload > /dev/null 2>&1 + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" fi + /etc/init.d/ssh reload >/dev/null 2>&1 + fi done } @@ -79,12 +79,12 @@ check_config() { # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then -# shellcheck source=../../debian/default + # shellcheck source=../../debian/default . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/lib/common.sh b/lib/common.sh index 694421b..c5458bc 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -11,7 +11,7 @@ backup_file() { crit "Cannot backup $FILE, it's not a file" FNRET=1 else - TARGET=$(echo $FILE | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/" ) + TARGET=$(echo $FILE | sed -s -e 's/\//./g' -e 's/^.//' -e "s/$/.$(date +%F-%H_%M_%S)/") TARGET="$BACKUPDIR/$TARGET" debug "Backuping $FILE to $TARGET" cp -a $FILE $TARGET @@ -19,29 +19,29 @@ backup_file() { fi } - # # Logging functions # case $LOGLEVEL in - error ) - MACHINE_LOG_LEVEL=1 - ;; - warning ) - MACHINE_LOG_LEVEL=2 - ;; - ok ) - MACHINE_LOG_LEVEL=3 - ;; - info ) - MACHINE_LOG_LEVEL=4 - ;; - debug ) - MACHINE_LOG_LEVEL=5 - ;; - *) - MACHINE_LOG_LEVEL=4 ## Default loglevel value to info +error) + MACHINE_LOG_LEVEL=1 + ;; +warning) + MACHINE_LOG_LEVEL=2 + ;; +ok) + MACHINE_LOG_LEVEL=3 + ;; +info) + MACHINE_LOG_LEVEL=4 + ;; +debug) + MACHINE_LOG_LEVEL=5 + ;; +*) + MACHINE_LOG_LEVEL=4 ## Default loglevel value to info + ;; esac _logger() { @@ -59,23 +59,23 @@ becho() { builtin echo "$toprint" } -cecho () { +cecho() { COLOR=$1 shift builtin echo -e "${COLOR}$*${NC}" } -crit () { +crit() { if [ ${BATCH_MODE:-0} -eq 1 ]; then BATCH_OUTPUT="$BATCH_OUTPUT KO{$*}" else if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger $BRED "[ KO ] $*"; fi fi # This variable incrementation is used to measure failure or success in tests - CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER+1)) + CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER + 1)) } -warn () { +warn() { if [ ${BATCH_MODE:-0} -eq 1 ]; then BATCH_OUTPUT="$BATCH_OUTPUT WARN{$*}" else @@ -83,7 +83,7 @@ warn () { fi } -ok () { +ok() { if [ ${BATCH_MODE:-0} -eq 1 ]; then BATCH_OUTPUT="$BATCH_OUTPUT OK{$*}" else @@ -91,25 +91,23 @@ ok () { fi } -info () { - if [ $MACHINE_LOG_LEVEL -ge 4 ]; then _logger '' "[INFO] $*"; fi +info() { + if [ $MACHINE_LOG_LEVEL -ge 4 ]; then _logger '' "[INFO] $*"; fi } -debug () { +debug() { if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi } - # # sudo wrapper # issue crit state if not allowed to perform sudo # for the specified command # sudo_wrapper() { - if sudo -l "$@" >/dev/null 2>&1 ; then + if sudo -l "$@" >/dev/null 2>&1; then sudo -n "$@" else crit "Not allowed to \"sudo -n $*\" " fi } - diff --git a/lib/constants.sh b/lib/constants.sh index b11c6ac..1d12301 100644 --- a/lib/constants.sh +++ b/lib/constants.sh @@ -14,10 +14,10 @@ WHITE='\033[0m' RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[0;33m' -GRAY='\033[0;40m' # Gray +GRAY='\033[0;40m' # Gray # Bold -BRED='\033[1;31m' # Red -BGREEN='\033[1;32m' # Green -BYELLOW='\033[1;33m' # Yellow -BWHITE='\033[1;37m' # White +BRED='\033[1;31m' # Red +BGREEN='\033[1;32m' # Green +BYELLOW='\033[1;33m' # Yellow +BWHITE='\033[1;37m' # White diff --git a/lib/main.sh b/lib/main.sh index 6c427ef..0a81ae8 100644 --- a/lib/main.sh +++ b/lib/main.sh @@ -11,10 +11,10 @@ status="" forcedstatus="" SUDO_CMD="" -[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh +[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh [ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg -[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh -[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh +[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh +[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh # Environment Sanitizing export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' @@ -23,11 +23,11 @@ export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' while [[ $# > 0 ]]; do ARG="$1" case $ARG in - --audit-all) - debug "Audit all specified, setting status to audit regardless of configuration" - forcedstatus=auditall + --audit-all) + debug "Audit all specified, setting status to audit regardless of configuration" + forcedstatus=auditall ;; - --audit) + --audit) if [ "$status" != 'disabled' -a "$status" != 'false' ]; then debug "Audit argument detected, setting status to audit" forcedstatus=audit @@ -35,21 +35,21 @@ while [[ $# > 0 ]]; do info "Audit argument passed but script is disabled" fi ;; - --create-config-files-only) - debug "Create config files" - forcedstatus=createconfig + --create-config-files-only) + debug "Create config files" + forcedstatus=createconfig ;; - --sudo) + --sudo) SUDO_CMD="sudo_wrapper" ;; - --batch) - debug "Auditing in batch mode, will limit output by setting LOGLEVEL to 'ok'." - BATCH_MODE=1 - LOGLEVEL=ok - [ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh + --batch) + debug "Auditing in batch mode, will limit output by setting LOGLEVEL to 'ok'." + BATCH_MODE=1 + LOGLEVEL=ok + [ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh ;; - *) - debug "Unknown option passed" + *) + debug "Unknown option passed" ;; esac shift @@ -59,20 +59,20 @@ info "Working on $SCRIPT_NAME" info "[DESCRIPTION] $DESCRIPTION" # Source specific configuration file -if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then +if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ]; then # If it doesn't exist, create it with default values - echo "# Configuration for $SCRIPT_NAME, created from default values on `date`" > $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg + echo "# Configuration for $SCRIPT_NAME, created from default values on $(date)" >$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg # If create_config is a defined function, execute it. # Otherwise, just disable the test by default. - if type -t create_config | grep -qw function ; then - create_config >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg + if type -t create_config | grep -qw function; then + create_config >>$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg else - echo "status=audit" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg + echo "status=audit" >>$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg fi fi -if [ "$forcedstatus" = "createconfig" ] ; then +if [ "$forcedstatus" = "createconfig" ]; then debug "$CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg has been created" exit 0 fi @@ -80,10 +80,10 @@ fi [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg # Now check configured value for status, and potential cmdline parameter -if [ "$forcedstatus" = "auditall" ] ; then +if [ "$forcedstatus" = "auditall" ]; then # We want to audit even disabled script, so override config value in any case status=audit -elif [ "$forcedstatus" = "audit" ] ; then +elif [ "$forcedstatus" = "audit" ]; then # We want to audit only enabled scripts if [ "$status" != 'disabled' -a "$status" != 'false' ]; then debug "Audit argument detected, setting status to audit" @@ -99,29 +99,28 @@ if [ -z $status ]; then exit 2 fi - case $status in - enabled | true ) - info "Checking Configuration" - check_config - info "Performing audit" - audit # Perform audit - info "Applying Hardening" - apply # Perform hardening - ;; - audit ) - info "Checking Configuration" - check_config - info "Performing audit" - audit # Perform audit - ;; - disabled | false ) - info "$SCRIPT_NAME is disabled, ignoring" - exit 2 # Means unknown status - ;; - *) - warn "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]" - ;; +enabled | true) + info "Checking Configuration" + check_config + info "Performing audit" + audit # Perform audit + info "Applying Hardening" + apply # Perform hardening + ;; +audit) + info "Checking Configuration" + check_config + info "Performing audit" + audit # Perform audit + ;; +disabled | false) + info "$SCRIPT_NAME is disabled, ignoring" + exit 2 # Means unknown status + ;; +*) + warn "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]" + ;; esac if [ $CRITICAL_ERRORS_NUMBER -eq 0 ]; then diff --git a/lib/shellfmt/launch_shellfmt.sh b/lib/shellfmt/launch_shellfmt.sh new file mode 100755 index 0000000..4bea65d --- /dev/null +++ b/lib/shellfmt/launch_shellfmt.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# run-shellcheck + +if [ ! -f tmp/shfmt ]; then + wget -O tmp/shfmt https://github.com/mvdan/sh/releases/download/v3.2.0/shfmt_v3.2.0_linux_amd64 +fi + +chmod +x tmp/shfmt + +files="" +retval=0 + +if [ "$#" -eq 0 ]; then + files=$(find . -name "*.sh" | sort -V) +else + files="$*" +fi + +for f in $files; do + ./tmp/shfmt -l -i 4 -w "$f" +done + +exit "$retval" diff --git a/lib/utils.sh b/lib/utils.sh index 76544ce..a3828ed 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -4,7 +4,7 @@ # run-shellcheck # -# Sysctl +# Sysctl # has_sysctl_param_expected_result() { @@ -24,14 +24,13 @@ has_sysctl_param_expected_result() { does_sysctl_param_exists() { local SYSCTL_PARAM=$1 - if [ "$($SUDO_CMD sysctl -a 2>/dev/null |grep "$SYSCTL_PARAM" -c)" = 0 ]; then + if [ "$($SUDO_CMD sysctl -a 2>/dev/null | grep "$SYSCTL_PARAM" -c)" = 0 ]; then FNRET=1 else FNRET=0 fi } - set_sysctl_param() { local SYSCTL_PARAM=$1 local VALUE=$2 @@ -48,7 +47,7 @@ set_sysctl_param() { } # -# Dmesg +# Dmesg # does_pattern_exist_in_dmesg() { @@ -61,7 +60,7 @@ does_pattern_exist_in_dmesg() { } # -# File +# File # does_file_exist() { @@ -90,12 +89,12 @@ has_file_correct_ownership() { has_file_correct_permissions() { local FILE=$1 local PERMISSIONS=$2 - + if [ $($SUDO_CMD stat -L -c "%a" $FILE) = "$PERMISSIONS" ]; then FNRET=0 else FNRET=1 - fi + fi } does_pattern_exist_in_file_nocase() { @@ -114,7 +113,7 @@ _does_pattern_exist_in_file() { local PATTERN="$*" debug "Checking if $PATTERN is present in $FILE" - if $SUDO_CMD [ -r "$FILE" ] ; then + if $SUDO_CMD [ -r "$FILE" ]; then debug "$SUDO_CMD grep -q $OPTIONS -- '$PATTERN' $FILE" if $($SUDO_CMD grep -q $OPTIONS -- "$PATTERN" $FILE); then debug "Pattern found in $FILE" @@ -145,9 +144,9 @@ does_pattern_exist_in_file_multiline() { local PATTERN="$*" debug "Checking if multiline pattern: $PATTERN is present in $FILE" - if $SUDO_CMD [ -r "$FILE" ] ; then + if $SUDO_CMD [ -r "$FILE" ]; then debug "$SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN"" - if $($SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN" ); then + if $($SUDO_CMD grep -v '^[[:space:]]*#' $FILE | tr '\n' ' ' | grep -Pq -- "$PATTERN"); then debug "Pattern found in $FILE" FNRET=0 else @@ -166,9 +165,9 @@ add_end_of_file() { debug "Adding $LINE at the end of $FILE" backup_file "$FILE" - echo "$LINE" >> $FILE + echo "$LINE" >>$FILE } - + add_line_file_before_pattern() { local FILE=$1 local LINE=$2 @@ -176,7 +175,7 @@ add_line_file_before_pattern() { backup_file "$FILE" debug "Inserting $LINE before $PATTERN in $FILE" - PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN) + PATTERN=$(sed 's@/@\\\/@g' <<<$PATTERN) debug "sed -i '/$PATTERN/i $LINE' $FILE" sed -i "/$PATTERN/i $LINE" $FILE FNRET=0 @@ -189,7 +188,7 @@ replace_in_file() { backup_file "$FILE" debug "Replacing $SOURCE to $DESTINATION in $FILE" - SOURCE=$(sed 's@/@\\\/@g' <<< $SOURCE) + SOURCE=$(sed 's@/@\\\/@g' <<<$SOURCE) debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE" sed -i "s/$SOURCE/$DESTINATION/g" $FILE FNRET=0 @@ -201,7 +200,7 @@ delete_line_in_file() { backup_file "$FILE" debug "Deleting lines from $FILE containing $PATTERN" - PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN) + PATTERN=$(sed 's@/@\\\/@g' <<<$PATTERN) debug "sed -i '/$PATTERN/d' $FILE" sed -i "/$PATTERN/d" $FILE FNRET=0 @@ -244,7 +243,6 @@ is_service_enabled() { fi } - # # Kernel Options checks # @@ -252,15 +250,15 @@ is_service_enabled() { is_kernel_option_enabled() { local KERNEL_OPTION="$1" local MODULE_NAME="" - if [ $# -ge 2 ] ; then + if [ $# -ge 2 ]; then MODULE_NAME="$2" fi - if $SUDO_CMD [ -r "/proc/config.gz" ] ; then + if $SUDO_CMD [ -r "/proc/config.gz" ]; then RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || : - elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ] ; then + elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ]; then RESULT=$($SUDO_CMD grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || : fi - ANSWER=$(cut -d = -f 2 <<< "$RESULT") + ANSWER=$(cut -d = -f 2 <<<"$RESULT") if [ "x$ANSWER" = "xy" ]; then debug "Kernel option $KERNEL_OPTION enabled" FNRET=0 @@ -272,16 +270,16 @@ is_kernel_option_enabled() { FNRET=2 # Not found fi - if $SUDO_CMD [ "$FNRET" -ne 0 -a -n "$MODULE_NAME" -a -d "/lib/modules/$(uname -r)" ] ; then + if $SUDO_CMD [ "$FNRET" -ne 0 -a -n "$MODULE_NAME" -a -d "/lib/modules/$(uname -r)" ]; then # also check in modules, because even if not =y, maybe # the admin compiled it separately later (or out-of-tree) # as a module (regardless of the fact that we have =m or not) debug "Checking if we have $MODULE_NAME.ko" local modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko") - if $SUDO_CMD [ -n "$modulefile" ] ; then + if $SUDO_CMD [ -n "$modulefile" ]; then debug "We do have $modulefile!" # ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz" - if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/ ; then + if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/; then debug "... but it's blacklisted!" FNRET=1 # Not found (found but blacklisted) # FIXME: even if blacklisted, it might be present in the initrd and @@ -359,7 +357,7 @@ add_option_to_fstab() { local OPTION=$2 debug "Setting $OPTION for $PARTITION in fstab" backup_file "/etc/fstab" - # For example : + # For example : # /dev/sda9 /home ext4 auto,acl,errors=remount-ro 0 2 # /dev/sda9 /home ext4 auto,acl,errors=remount-ro,nodev 0 2 debug "Sed command : sed -ie \"s;\(.*\)\(\s*\)\s\($PARTITION\)\s\(\s*\)\(\w*\)\(\s*\)\(\w*\)*;\1\2 \3 \4\5\6\7,$OPTION;\" /etc/fstab" @@ -373,17 +371,14 @@ remount_partition() { } # -# APT +# APT # -apt_update_if_needed() -{ - if [ -e /var/cache/apt/pkgcache.bin ] - then - UPDATE_AGE=$(( $(date +%s) - $(stat -c '%Y' /var/cache/apt/pkgcache.bin) )) +apt_update_if_needed() { + if [ -e /var/cache/apt/pkgcache.bin ]; then + UPDATE_AGE=$(($(date +%s) - $(stat -c '%Y' /var/cache/apt/pkgcache.bin))) - if [ $UPDATE_AGE -gt 21600 ] - then + if [ $UPDATE_AGE -gt 21600 ]; then # update too old, refresh database $SUDO_CMD apt-get update -y >/dev/null 2>/dev/null fi @@ -392,12 +387,11 @@ apt_update_if_needed() fi } -apt_check_updates() -{ +apt_check_updates() { local NAME="$1" local DETAILS="/dev/shm/${NAME}" - $SUDO_CMD apt-get upgrade -s 2>/dev/null | grep -E "^Inst" > $DETAILS || : - local COUNT=$(wc -l < "$DETAILS") + $SUDO_CMD apt-get upgrade -s 2>/dev/null | grep -E "^Inst" >$DETAILS || : + local COUNT=$(wc -l <"$DETAILS") FNRET=128 # Unknown function return result RESULT="" # Result output for upgrade if [ $COUNT -gt 0 ]; then @@ -410,22 +404,19 @@ apt_check_updates() rm $DETAILS } -apt_install() -{ +apt_install() { local PACKAGE=$1 DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install $PACKAGE -y FNRET=0 } - # # Returns if a package is installed # -is_pkg_installed() -{ +is_pkg_installed() { PKG_NAME=$1 - if $(dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install ') ; then + if $(dpkg -s $PKG_NAME 2>/dev/null | grep -q '^Status: install '); then debug "$PKG_NAME is installed" FNRET=0 else @@ -434,11 +425,9 @@ is_pkg_installed() fi } - # Returns Debian major version -get_debian_major_version() -{ +get_debian_major_version() { DEB_MAJ_VER="" does_file_exist /etc/debian_version if [ $FNRET ]; then @@ -447,4 +436,3 @@ get_debian_major_version() DEB_MAJ_VER=$(lsb_release -r | cut -f2 | cut -d '.' -f 1) fi } - diff --git a/shellcheck/docker_build_and_run_shellcheck.sh b/shellcheck/docker_build_and_run_shellcheck.sh index b85682c..a9c7005 100755 --- a/shellcheck/docker_build_and_run_shellcheck.sh +++ b/shellcheck/docker_build_and_run_shellcheck.sh @@ -7,4 +7,3 @@ set -e dockerfile="$(dirname "$0")/Dockerfile.shellcheck" docker build -f "$dockerfile" -t debiancis-shellcheck "$(dirname "$0")"/../ docker run --rm debiancis-shellcheck "$@" - diff --git a/shellcheck/launch_shellcheck.sh b/shellcheck/launch_shellcheck.sh index 68d0659..c75aa02 100755 --- a/shellcheck/launch_shellcheck.sh +++ b/shellcheck/launch_shellcheck.sh @@ -6,7 +6,7 @@ files="" retval=0 if [ $# -eq 0 ]; then - files=$(find . -name "*.sh" | sort -V ) + files=$(find . -name "*.sh" | sort -V) else files="$*" fi diff --git a/tests/docker_build_and_run_tests.sh b/tests/docker_build_and_run_tests.sh index 4a816f3..588fea3 100755 --- a/tests/docker_build_and_run_tests.sh +++ b/tests/docker_build_and_run_tests.sh @@ -12,7 +12,7 @@ if [ $# -gt 0 ]; then shift fi fi -if [ -z "$target" ] ; then +if [ -z "$target" ]; then echo "Usage: $0 [test_script...]" >&2 echo -n "Supported targets are: " >&2 #ls -1v "$(dirname "$0")"/docker/Dockerfile.* | sed -re 's=^.+/Dockerfile\.==' | tr "\n" " " >&2 @@ -21,15 +21,12 @@ if [ -z "$target" ] ; then exit 1 fi - dockerfile="$(dirname "$0")"/docker/Dockerfile.${target} -if [ ! -f "$dockerfile" ] ; then - echo "ERROR: No target available for $target" >&2 +if [ ! -f "$dockerfile" ]; then + echo "ERROR: No target available for $target" >&2 exit 1 fi - docker build -f "$dockerfile" -t "debian_cis_test:${target}" "$(dirname "$0")"/../ docker run --rm debian_cis_test:"${target}" "$@" - diff --git a/tests/hardening/1.1.1.1_disable_freevxfs.sh b/tests/hardening/1.1.1.1_disable_freevxfs.sh index 14fd16c..5195a49 100644 --- a/tests/hardening/1.1.1.1_disable_freevxfs.sh +++ b/tests/hardening/1.1.1.1_disable_freevxfs.sh @@ -4,13 +4,13 @@ test_audit() { if [ -f "/.dockerenv" ]; then skip "SKIPPED on docker" else - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all fi - + ################################################################## # For this test, we only check that it runs properly on a blank # # host, and we check root/sudo consistency. But, we don't test # diff --git a/tests/hardening/1.1.1.2_disable_jffs2.sh b/tests/hardening/1.1.1.2_disable_jffs2.sh index 2fa4239..5195a49 100644 --- a/tests/hardening/1.1.1.2_disable_jffs2.sh +++ b/tests/hardening/1.1.1.2_disable_jffs2.sh @@ -4,11 +4,11 @@ test_audit() { if [ -f "/.dockerenv" ]; then skip "SKIPPED on docker" else - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all fi ################################################################## diff --git a/tests/hardening/1.1.1.3_disable_hfs.sh b/tests/hardening/1.1.1.3_disable_hfs.sh index 2fa4239..5195a49 100644 --- a/tests/hardening/1.1.1.3_disable_hfs.sh +++ b/tests/hardening/1.1.1.3_disable_hfs.sh @@ -4,11 +4,11 @@ test_audit() { if [ -f "/.dockerenv" ]; then skip "SKIPPED on docker" else - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all fi ################################################################## diff --git a/tests/hardening/1.1.1.4_disable_hfsplus.sh b/tests/hardening/1.1.1.4_disable_hfsplus.sh index 2fa4239..5195a49 100644 --- a/tests/hardening/1.1.1.4_disable_hfsplus.sh +++ b/tests/hardening/1.1.1.4_disable_hfsplus.sh @@ -4,11 +4,11 @@ test_audit() { if [ -f "/.dockerenv" ]; then skip "SKIPPED on docker" else - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all fi ################################################################## diff --git a/tests/hardening/1.1.1.5_disable_udf.sh b/tests/hardening/1.1.1.5_disable_udf.sh index 4d02f29..5195a49 100644 --- a/tests/hardening/1.1.1.5_disable_udf.sh +++ b/tests/hardening/1.1.1.5_disable_udf.sh @@ -4,11 +4,11 @@ test_audit() { if [ -f "/.dockerenv" ]; then skip "SKIPPED on docker" else - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all fi ################################################################## @@ -18,4 +18,3 @@ test_audit() { # long to test and not very useful. # ################################################################## } - diff --git a/tests/hardening/1.1.1.6_disable_cramfs.sh b/tests/hardening/1.1.1.6_disable_cramfs.sh index 2fa4239..5195a49 100644 --- a/tests/hardening/1.1.1.6_disable_cramfs.sh +++ b/tests/hardening/1.1.1.6_disable_cramfs.sh @@ -4,11 +4,11 @@ test_audit() { if [ -f "/.dockerenv" ]; then skip "SKIPPED on docker" else - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all fi ################################################################## diff --git a/tests/hardening/1.1.1.7_disable_squashfs.sh b/tests/hardening/1.1.1.7_disable_squashfs.sh index 4d02f29..5195a49 100644 --- a/tests/hardening/1.1.1.7_disable_squashfs.sh +++ b/tests/hardening/1.1.1.7_disable_squashfs.sh @@ -4,11 +4,11 @@ test_audit() { if [ -f "/.dockerenv" ]; then skip "SKIPPED on docker" else - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all fi ################################################################## @@ -18,4 +18,3 @@ test_audit() { # long to test and not very useful. # ################################################################## } - diff --git a/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh b/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh index 609e7a9..23aa02d 100755 --- a/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh +++ b/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh @@ -1,11 +1,11 @@ # shellcheck shell=bash # run-shellcheck test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - register_test contain "All world writable directories have a sticky bit" - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Running on blank host + register_test retvalshouldbe 0 + register_test contain "All world writable directories have a sticky bit" + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all if [ -f "/.dockerenv" ]; then skip "SKIPPED on docker" else @@ -18,7 +18,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/1.5.1_restrict_core_dumps.sh b/tests/hardening/1.5.1_restrict_core_dumps.sh index 56e1d6d..43c5299 100644 --- a/tests/hardening/1.5.1_restrict_core_dumps.sh +++ b/tests/hardening/1.5.1_restrict_core_dumps.sh @@ -4,11 +4,11 @@ test_audit() { if [ -f "/.dockerenv" ]; then skip "SKIPPED on docker" else - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # TODO fill comprehensive tests fi diff --git a/tests/hardening/1.6.2.1_enable_apparmor.sh b/tests/hardening/1.6.2.1_enable_apparmor.sh index 599b1d1..01e92a7 100644 --- a/tests/hardening/1.6.2.1_enable_apparmor.sh +++ b/tests/hardening/1.6.2.1_enable_apparmor.sh @@ -11,7 +11,7 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/2.2.1.1_use_time_sync.sh b/tests/hardening/2.2.1.1_use_time_sync.sh index 1f26e20..e64e063 100644 --- a/tests/hardening/2.2.1.1_use_time_sync.sh +++ b/tests/hardening/2.2.1.1_use_time_sync.sh @@ -18,4 +18,3 @@ test_audit() { register_test contain "Time synchronization is available through" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/3.1.1_disable_ip_forwarding.sh b/tests/hardening/3.1.1_disable_ip_forwarding.sh index 1346bee..c308095 100644 --- a/tests/hardening/3.1.1_disable_ip_forwarding.sh +++ b/tests/hardening/3.1.1_disable_ip_forwarding.sh @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/4.1.1.2_halt_when_audit_log_full.sh b/tests/hardening/4.1.1.2_halt_when_audit_log_full.sh index 433d518..5ca43b6 100644 --- a/tests/hardening/4.1.1.2_halt_when_audit_log_full.sh +++ b/tests/hardening/4.1.1.2_halt_when_audit_log_full.sh @@ -12,7 +12,7 @@ test_audit() { describe Correcting situation sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg # to avoid error during auditd installation in 4.1.1.2, only necessary during tests - sed -i "s/OPTIONS='/OPTIONS='space_left=100 admin_space_left=50 /" /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i "s/OPTIONS='/OPTIONS='space_left=100 admin_space_left=50 /" /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh || true describe Checking resolved state diff --git a/tests/hardening/4.1.11_record_failed_access_file.sh b/tests/hardening/4.1.11_record_failed_access_file.sh index 323c47d..39aea0b 100644 --- a/tests/hardening/4.1.11_record_failed_access_file.sh +++ b/tests/hardening/4.1.11_record_failed_access_file.sh @@ -7,7 +7,6 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - describe Correcting situation sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh || true @@ -21,4 +20,3 @@ test_audit() { run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/4.1.12_record_privileged_commands.sh b/tests/hardening/4.1.12_record_privileged_commands.sh index 9665e1e..f189e40 100644 --- a/tests/hardening/4.1.12_record_privileged_commands.sh +++ b/tests/hardening/4.1.12_record_privileged_commands.sh @@ -7,7 +7,6 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - describe Correcting situation sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh || true diff --git a/tests/hardening/4.1.15_record_sudoers_edit.sh b/tests/hardening/4.1.15_record_sudoers_edit.sh index 0469235..7cd8c4c 100644 --- a/tests/hardening/4.1.15_record_sudoers_edit.sh +++ b/tests/hardening/4.1.15_record_sudoers_edit.sh @@ -7,13 +7,13 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - describe Correcting situation + describe Correcting situation sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh || true describe Checking resolved state register_test retvalshouldbe 0 register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.5_record_user_group_edit.sh b/tests/hardening/4.1.5_record_user_group_edit.sh index 093f063..08e699a 100644 --- a/tests/hardening/4.1.5_record_user_group_edit.sh +++ b/tests/hardening/4.1.5_record_user_group_edit.sh @@ -14,7 +14,7 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 register_test contain "[ OK ] -w /etc/group -p wa -k identity is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /etc/gshadow -p wa -k identity is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /etc/shadow -p wa -k identity is present in /etc/audit/audit.rules" register_test contain "[ OK ] -w /etc/security/opasswd -p wa -k identity is present in /etc/audit/audit.rules" diff --git a/tests/hardening/4.1.8_record_login_logout.sh b/tests/hardening/4.1.8_record_login_logout.sh index 9f2d3df..f13729f 100644 --- a/tests/hardening/4.1.8_record_login_logout.sh +++ b/tests/hardening/4.1.8_record_login_logout.sh @@ -7,7 +7,6 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - describe Correcting situation sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh || true diff --git a/tests/hardening/4.2.2.4_syslog-ng_remote_host.sh b/tests/hardening/4.2.2.4_syslog-ng_remote_host.sh index 3c4ffec..2159707 100644 --- a/tests/hardening/4.2.2.4_syslog-ng_remote_host.sh +++ b/tests/hardening/4.2.2.4_syslog-ng_remote_host.sh @@ -9,16 +9,15 @@ test_audit() { cp -a /etc/syslog-ng/syslog-ng.conf /tmp/syslog-ng.conf.bak - echo "destination mySyslog tcp (\"syslog.example.tld\")" >> /etc/syslog-ng/syslog-ng.conf + echo "destination mySyslog tcp (\"syslog.example.tld\")" >>/etc/syslog-ng/syslog-ng.conf grep syslog.example.tld /etc/syslog-ng/syslog-ng.conf describe Checking one line conf register_test retvalshouldbe 0 run oneline /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - cp -a /tmp/syslog-ng.conf.bak /etc/syslog-ng/syslog-ng.conf - cat >> /etc/syslog-ng/syslog-ng.conf <>/etc/syslog-ng/syslog-ng.conf </etc/syslog-ng/conf.d/1_tcp_destination - echo "destination mySyslog tcp (\"syslog.example.tld\")" >> /etc/syslog-ng/conf.d/1_tcp_destination + echo "destination mySyslog tcp (\"syslog.example.tld\")" >>/etc/syslog-ng/conf.d/1_tcp_destination cat /etc/syslog-ng/conf.d/1_tcp_destination - describe Checking file in subdirectory register_test retvalshouldbe 0 run subfile /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # Cleanup rm /etc/syslog-ng/conf.d/1_tcp_destination diff --git a/tests/hardening/5.1.2_crontab_perm_ownership.sh b/tests/hardening/5.1.2_crontab_perm_ownership.sh index c0351bc..c2cd9d5 100644 --- a/tests/hardening/5.1.2_crontab_perm_ownership.sh +++ b/tests/hardening/5.1.2_crontab_perm_ownership.sh @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Tests purposely failing @@ -28,7 +28,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/5.1.3_cron_hourly_perm_ownership.sh b/tests/hardening/5.1.3_cron_hourly_perm_ownership.sh index 983a443..931506f 100644 --- a/tests/hardening/5.1.3_cron_hourly_perm_ownership.sh +++ b/tests/hardening/5.1.3_cron_hourly_perm_ownership.sh @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Tests purposely failing @@ -28,7 +28,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/5.1.4_cron_daily_perm_ownership.sh b/tests/hardening/5.1.4_cron_daily_perm_ownership.sh index d531575..5a0481c 100644 --- a/tests/hardening/5.1.4_cron_daily_perm_ownership.sh +++ b/tests/hardening/5.1.4_cron_daily_perm_ownership.sh @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Tests purposely failing @@ -28,7 +28,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/5.1.5_cron_weekly_perm_ownership.sh b/tests/hardening/5.1.5_cron_weekly_perm_ownership.sh index 0523685..3fe2533 100644 --- a/tests/hardening/5.1.5_cron_weekly_perm_ownership.sh +++ b/tests/hardening/5.1.5_cron_weekly_perm_ownership.sh @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Tests purposely failing @@ -28,7 +28,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/5.1.6_cron_monthly_perm_ownership.sh b/tests/hardening/5.1.6_cron_monthly_perm_ownership.sh index ef8f8b8..9062e34 100644 --- a/tests/hardening/5.1.6_cron_monthly_perm_ownership.sh +++ b/tests/hardening/5.1.6_cron_monthly_perm_ownership.sh @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Tests purposely failing @@ -28,7 +28,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/5.1.7_cron_d_perm_ownership.sh b/tests/hardening/5.1.7_cron_d_perm_ownership.sh index d260985..c8fc1e4 100644 --- a/tests/hardening/5.1.7_cron_d_perm_ownership.sh +++ b/tests/hardening/5.1.7_cron_d_perm_ownership.sh @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Tests purposely failing @@ -28,7 +28,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/5.1.8_cron_users.sh b/tests/hardening/5.1.8_cron_users.sh index ab0b2c7..d54abc5 100644 --- a/tests/hardening/5.1.8_cron_users.sh +++ b/tests/hardening/5.1.8_cron_users.sh @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true touch /etc/cron.allow /etc/at.allow @@ -32,7 +32,7 @@ test_audit() { userdel "$test_user" describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Tests purposely failing @@ -46,7 +46,7 @@ test_audit() { userdel "$test_user" describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/5.2.14_ssh_cry_mac.sh b/tests/hardening/5.2.14_ssh_cry_mac.sh index 2b82aee..557832c 100644 --- a/tests/hardening/5.2.14_ssh_cry_mac.sh +++ b/tests/hardening/5.2.14_ssh_cry_mac.sh @@ -20,4 +20,3 @@ test_audit() { register_test contain "[ OK ] ^MACs[[:space:]]*umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256 is present in /etc/ssh/sshd_config" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/5.2.15_ssh_cry_kex.sh b/tests/hardening/5.2.15_ssh_cry_kex.sh index 4fae4d6..aa33d69 100644 --- a/tests/hardening/5.2.15_ssh_cry_kex.sh +++ b/tests/hardening/5.2.15_ssh_cry_kex.sh @@ -27,4 +27,3 @@ test_audit() { register_test retvalshouldbe 0 run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/5.2.1_sshd_conf_perm_ownership.sh b/tests/hardening/5.2.1_sshd_conf_perm_ownership.sh index d47333f..ad6d2f9 100644 --- a/tests/hardening/5.2.1_sshd_conf_perm_ownership.sh +++ b/tests/hardening/5.2.1_sshd_conf_perm_ownership.sh @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Tests purposely failing @@ -28,7 +28,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh b/tests/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh index f123371..531453b 100755 --- a/tests/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh +++ b/tests/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh @@ -19,7 +19,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Tests purposely failing @@ -30,7 +30,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh b/tests/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh index 5da49e7..338794e 100755 --- a/tests/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh +++ b/tests/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh @@ -19,7 +19,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Tests purposely failing @@ -30,7 +30,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/5.2.4_sshd_protocol.sh b/tests/hardening/5.2.4_sshd_protocol.sh index 2072dfa..7705983 100644 --- a/tests/hardening/5.2.4_sshd_protocol.sh +++ b/tests/hardening/5.2.4_sshd_protocol.sh @@ -6,7 +6,7 @@ test_audit() { dismiss_count_for_test # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - + describe Correcting situation # `apply` performs a service reload after each change in the config file # the service needs to be started for the reload to succeed diff --git a/tests/hardening/5.2.5_sshd_loglevel.sh b/tests/hardening/5.2.5_sshd_loglevel.sh index cc54796..8bb2f88 100644 --- a/tests/hardening/5.2.5_sshd_loglevel.sh +++ b/tests/hardening/5.2.5_sshd_loglevel.sh @@ -6,7 +6,7 @@ test_audit() { dismiss_count_for_test # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - + describe Correcting situation # `apply` performs a service reload after each change in the config file # the service needs to be started for the reload to succeed @@ -19,7 +19,7 @@ test_audit() { register_test retvalshouldbe 0 run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - echo "OPTIONS='LogLevel=DEBUG'" >> /opt/debian-cis/etc/conf.d/"${script}".cfg + echo "OPTIONS='LogLevel=DEBUG'" >>/opt/debian-cis/etc/conf.d/"${script}".cfg sed -i 's/LogLevel VERBOSE/LogLevel DEBUG/' /etc/ssh/sshd_config describe Checking custom conf diff --git a/tests/hardening/5.2.7_sshd_maxauthtries.sh b/tests/hardening/5.2.7_sshd_maxauthtries.sh index 9bb8e04..ba28645 100644 --- a/tests/hardening/5.2.7_sshd_maxauthtries.sh +++ b/tests/hardening/5.2.7_sshd_maxauthtries.sh @@ -6,7 +6,7 @@ test_audit() { register_test contain "openssh-server is installed" # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - + describe Correcting situation # `apply` performs a service reload after each change in the config file # the service needs to be started for the reload to succeed diff --git a/tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh b/tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh index 7c3044f..8550ec9 100644 --- a/tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh +++ b/tests/hardening/5.2.8_enable_sshd_ignorerhosts.sh @@ -19,4 +19,4 @@ test_audit() { register_test retvalshouldbe 0 register_test contain "[ OK ] ^IgnoreRhosts[[:space:]]*yes is present in /etc/ssh/sshd_config" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all -} \ No newline at end of file +} diff --git a/tests/hardening/5.3.4_acc_pam_sha512.sh b/tests/hardening/5.3.4_acc_pam_sha512.sh index 4a0e3d2..400226c 100644 --- a/tests/hardening/5.3.4_acc_pam_sha512.sh +++ b/tests/hardening/5.3.4_acc_pam_sha512.sh @@ -7,4 +7,3 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/5.4.2_disable_system_accounts.sh b/tests/hardening/5.4.2_disable_system_accounts.sh index 3488177..ffdff82 100644 --- a/tests/hardening/5.4.2_disable_system_accounts.sh +++ b/tests/hardening/5.4.2_disable_system_accounts.sh @@ -9,7 +9,7 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/5.4.4_default_umask.sh b/tests/hardening/5.4.4_default_umask.sh index 2c65ee1..e5466e8 100644 --- a/tests/hardening/5.4.4_default_umask.sh +++ b/tests/hardening/5.4.4_default_umask.sh @@ -8,7 +8,7 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/6.1.10_find_world_writable_file.sh b/tests/hardening/6.1.10_find_world_writable_file.sh index f268b76..53b4f33 100755 --- a/tests/hardening/6.1.10_find_world_writable_file.sh +++ b/tests/hardening/6.1.10_find_world_writable_file.sh @@ -1,7 +1,7 @@ # shellcheck shell=bash # run-shellcheck test_audit() { - + #run this test only if we're not in docker if [ -f "/.dockerenv" ]; then skip "SKIPPED on docker" @@ -21,13 +21,12 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state register_test retvalshouldbe 0 register_test contain "No world writable files found" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - fi + fi } - diff --git a/tests/hardening/6.1.11_find_unowned_files.sh b/tests/hardening/6.1.11_find_unowned_files.sh index b2d9b09..1bc9094 100755 --- a/tests/hardening/6.1.11_find_unowned_files.sh +++ b/tests/hardening/6.1.11_find_unowned_files.sh @@ -24,4 +24,3 @@ test_audit() { register_test contain "No unowned files found" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/6.1.12_find_ungrouped_files.sh b/tests/hardening/6.1.12_find_ungrouped_files.sh index f6bbfd1..04ff6ab 100755 --- a/tests/hardening/6.1.12_find_ungrouped_files.sh +++ b/tests/hardening/6.1.12_find_ungrouped_files.sh @@ -16,7 +16,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state @@ -24,4 +24,3 @@ test_audit() { register_test contain "No ungrouped files found" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/6.1.13_find_suid_files.sh b/tests/hardening/6.1.13_find_suid_files.sh index 35c14ec..eca7117 100755 --- a/tests/hardening/6.1.13_find_suid_files.sh +++ b/tests/hardening/6.1.13_find_suid_files.sh @@ -5,7 +5,7 @@ test_audit() { # shellcheck disable=2154 /opt/debian-cis/bin/hardening/"${script}".sh || true # shellcheck disable=2016 - echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4 /bin/fusermount /usr/lib/eject/dmcrypt-get-device /usr/bin/pkexec /usr/lib/policykit-1/polkit-agent-helper-1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + echo 'EXCEPTIONS="$EXCEPTIONS /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4 /bin/fusermount /usr/lib/eject/dmcrypt-get-device /usr/bin/pkexec /usr/lib/policykit-1/polkit-agent-helper-1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg describe Running on blank host register_test retvalshouldbe 0 @@ -29,4 +29,3 @@ test_audit() { register_test contain "No unknown suid files found" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/6.1.14_find_sgid_files.sh b/tests/hardening/6.1.14_find_sgid_files.sh index 6cd67d4..a5b7d52 100755 --- a/tests/hardening/6.1.14_find_sgid_files.sh +++ b/tests/hardening/6.1.14_find_sgid_files.sh @@ -5,7 +5,7 @@ test_audit() { # shellcheck disable=2154 /opt/debian-cis/bin/hardening/"${script}".sh || true # shellcheck disable=2016 - echo 'EXCEPTIONS="$EXCEPTIONS /usr/bin/dotlock.mailutils /usr/lib/x86_64-linux-gnu/utempter/utempter"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + echo 'EXCEPTIONS="$EXCEPTIONS /usr/bin/dotlock.mailutils /usr/lib/x86_64-linux-gnu/utempter/utempter"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg describe Running on blank host register_test retvalshouldbe 0 @@ -30,4 +30,3 @@ test_audit() { register_test contain "No unknown sgid files found" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/6.1.5_etc_passwd_permissions.sh b/tests/hardening/6.1.5_etc_passwd_permissions.sh index f489eda..fa50333 100644 --- a/tests/hardening/6.1.5_etc_passwd_permissions.sh +++ b/tests/hardening/6.1.5_etc_passwd_permissions.sh @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Tests purposely failing @@ -28,7 +28,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/6.1.6_etc_shadow_permissions.sh b/tests/hardening/6.1.6_etc_shadow_permissions.sh index 62e2b47..aefbd50 100644 --- a/tests/hardening/6.1.6_etc_shadow_permissions.sh +++ b/tests/hardening/6.1.6_etc_shadow_permissions.sh @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Tests purposely failing @@ -28,7 +28,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/6.1.7_etc_group_permissions.sh b/tests/hardening/6.1.7_etc_group_permissions.sh index 71ce1d7..6195f11 100644 --- a/tests/hardening/6.1.7_etc_group_permissions.sh +++ b/tests/hardening/6.1.7_etc_group_permissions.sh @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Tests purposely failing @@ -28,7 +28,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/6.2.10_check_user_dot_file_perm.sh b/tests/hardening/6.2.10_check_user_dot_file_perm.sh index e61acea..a74a3c6 100644 --- a/tests/hardening/6.2.10_check_user_dot_file_perm.sh +++ b/tests/hardening/6.2.10_check_user_dot_file_perm.sh @@ -10,7 +10,7 @@ test_audit() { local test_user="testdotuser" local test_file=".test" - describe Tests purposely failing + describe Tests purposely failing useradd --create-home "$test_user" touch "/home/$test_user/$test_file" chmod 777 "/home/$test_user/$test_file" @@ -20,7 +20,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/6.2.11_find_user_forward_files.sh b/tests/hardening/6.2.11_find_user_forward_files.sh index 93ee353..47eb581 100644 --- a/tests/hardening/6.2.11_find_user_forward_files.sh +++ b/tests/hardening/6.2.11_find_user_forward_files.sh @@ -6,11 +6,11 @@ test_audit() { dismiss_count_for_test # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - + local test_user="testforwarduser" local test_file=".forward" - describe Tests purposely failing + describe Tests purposely failing useradd --create-home "$test_user" touch "/home/$test_user/$test_file" register_test retvalshouldbe 1 diff --git a/tests/hardening/6.2.12_find_user_netrc_files.sh b/tests/hardening/6.2.12_find_user_netrc_files.sh index 7bb7d86..1dce9c8 100644 --- a/tests/hardening/6.2.12_find_user_netrc_files.sh +++ b/tests/hardening/6.2.12_find_user_netrc_files.sh @@ -10,7 +10,7 @@ test_audit() { local test_user="testnetrcuser" local test_file=".netrc" - describe Tests purposely failing + describe Tests purposely failing useradd --create-home "$test_user" touch "/home/$test_user/$test_file" register_test retvalshouldbe 1 diff --git a/tests/hardening/6.2.13_set_perm_on_user_netrc.sh b/tests/hardening/6.2.13_set_perm_on_user_netrc.sh index 8dd788e..b559652 100644 --- a/tests/hardening/6.2.13_set_perm_on_user_netrc.sh +++ b/tests/hardening/6.2.13_set_perm_on_user_netrc.sh @@ -10,7 +10,7 @@ test_audit() { local test_user="testnetrcuser" local test_file=".netrc" - describe Tests purposely failing + describe Tests purposely failing useradd --create-home "$test_user" touch "/home/$test_user/$test_file" chmod 777 "/home/$test_user/$test_file" @@ -19,7 +19,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/6.2.14_find_user_rhosts_files.sh b/tests/hardening/6.2.14_find_user_rhosts_files.sh index 6b769e2..c1aa772 100755 --- a/tests/hardening/6.2.14_find_user_rhosts_files.sh +++ b/tests/hardening/6.2.14_find_user_rhosts_files.sh @@ -10,7 +10,7 @@ test_audit() { local test_user="testrhostsuser" local test_file=".rhosts" - describe Tests purposely failing + describe Tests purposely failing useradd --create-home "$test_user" touch "/home/$test_user/$test_file" register_test retvalshouldbe 1 @@ -19,4 +19,4 @@ test_audit() { # cleanup userdel -r "$test_user" -} \ No newline at end of file +} diff --git a/tests/hardening/6.2.15_find_passwd_group_inconsistencies.sh b/tests/hardening/6.2.15_find_passwd_group_inconsistencies.sh index 8bc6454..6e26efe 100644 --- a/tests/hardening/6.2.15_find_passwd_group_inconsistencies.sh +++ b/tests/hardening/6.2.15_find_passwd_group_inconsistencies.sh @@ -10,8 +10,8 @@ test_audit() { local test_user="testpasswdgroupuser" local dir="/etc/passwd" - describe Tests purposely failing - echo "$test_user:x:1100:1100::/home/$test_user:" >> "$dir" + describe Tests purposely failing + echo "$test_user:x:1100:1100::/home/$test_user:" >>"$dir" register_test retvalshouldbe 1 register_test contain "is referenced by /etc/passwd but does not exist in /etc/group" run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all diff --git a/tests/hardening/6.2.16_check_duplicate_uid.sh b/tests/hardening/6.2.16_check_duplicate_uid.sh index 18b7197..dcd3318 100644 --- a/tests/hardening/6.2.16_check_duplicate_uid.sh +++ b/tests/hardening/6.2.16_check_duplicate_uid.sh @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # shellcheck disable=2016 - echo 'EXCEPTIONS="$EXCEPTIONS 1001"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + echo 'EXCEPTIONS="$EXCEPTIONS 1001"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg describe Adding exceptions register_test retvalshouldbe 0 @@ -28,4 +28,3 @@ test_audit() { userdel usertest1 userdel usertest2 } - diff --git a/tests/hardening/6.2.17_check_duplicate_gid.sh b/tests/hardening/6.2.17_check_duplicate_gid.sh index f7aeaa9..62f05c7 100644 --- a/tests/hardening/6.2.17_check_duplicate_gid.sh +++ b/tests/hardening/6.2.17_check_duplicate_gid.sh @@ -7,7 +7,6 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - groupadd -f -g 120 grouptest groupadd -fo -g 120 grouptest2 diff --git a/tests/hardening/6.2.18_check_duplicate_username.sh b/tests/hardening/6.2.18_check_duplicate_username.sh index 2a7229d..89c036e 100644 --- a/tests/hardening/6.2.18_check_duplicate_username.sh +++ b/tests/hardening/6.2.18_check_duplicate_username.sh @@ -10,10 +10,10 @@ test_audit() { local test_user="testduplicateuser" local dir="/etc/passwd" - describe Tests purposely failing + describe Tests purposely failing useradd "$test_user" temp=$(tail -1 "$dir") - echo "$temp" >> "$dir" + echo "$temp" >>"$dir" register_test retvalshouldbe 1 register_test contain "Duplicate username" run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all diff --git a/tests/hardening/6.2.19_check_duplicate_groupname.sh b/tests/hardening/6.2.19_check_duplicate_groupname.sh index 4a709d6..3664076 100644 --- a/tests/hardening/6.2.19_check_duplicate_groupname.sh +++ b/tests/hardening/6.2.19_check_duplicate_groupname.sh @@ -10,10 +10,10 @@ test_audit() { local test_group="testduplicategroup" local dir="/etc/group" - describe Tests purposely failing + describe Tests purposely failing useradd "$test_group" temp=$(tail -1 "$dir") - echo "$temp" >> "$dir" + echo "$temp" >>"$dir" register_test retvalshouldbe 1 register_test contain "Duplicate group" run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all diff --git a/tests/hardening/6.2.1_remove_empty_password_field.sh b/tests/hardening/6.2.1_remove_empty_password_field.sh index b6e9a26..d33bbeb 100644 --- a/tests/hardening/6.2.1_remove_empty_password_field.sh +++ b/tests/hardening/6.2.1_remove_empty_password_field.sh @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/6.2.20_shadow_group_empty.sh b/tests/hardening/6.2.20_shadow_group_empty.sh index 3be62ac..7eff49c 100644 --- a/tests/hardening/6.2.20_shadow_group_empty.sh +++ b/tests/hardening/6.2.20_shadow_group_empty.sh @@ -9,7 +9,7 @@ test_audit() { local test_user="testshadowuser" - describe Tests purposely failing + describe Tests purposely failing useradd "$test_user" usermod -aG shadow "$test_user" register_test retvalshouldbe 1 @@ -17,11 +17,11 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all userdel "$test_user" - describe Tests purposely failing + describe Tests purposely failing useradd --no-user-group -g shadow "$test_user" register_test retvalshouldbe 1 register_test contain "Some users have shadow id as their primary group" run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all userdel "$test_user" - + } diff --git a/tests/hardening/6.2.2_remove_legacy_passwd_entries.sh b/tests/hardening/6.2.2_remove_legacy_passwd_entries.sh index 24916cc..ce25f3d 100644 --- a/tests/hardening/6.2.2_remove_legacy_passwd_entries.sh +++ b/tests/hardening/6.2.2_remove_legacy_passwd_entries.sh @@ -9,7 +9,7 @@ test_audit() { local test_user="testetcpasswduser" - describe Tests purposely failing + describe Tests purposely failing useradd "$test_user" sed -i "s/$test_user:x/+:$test_user:x/" /etc/passwd register_test retvalshouldbe 1 @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/6.2.3_remove_legacy_shadow_entries.sh b/tests/hardening/6.2.3_remove_legacy_shadow_entries.sh index d61e2ad..78c95b6 100644 --- a/tests/hardening/6.2.3_remove_legacy_shadow_entries.sh +++ b/tests/hardening/6.2.3_remove_legacy_shadow_entries.sh @@ -9,7 +9,7 @@ test_audit() { local test_user="testetcshadowusr" - describe Tests purposely failing + describe Tests purposely failing useradd "$test_user" sed -i "s/$test_user:/+:$test_user:/" /etc/shadow register_test retvalshouldbe 1 @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/6.2.4_remove_legacy_group_entries.sh b/tests/hardening/6.2.4_remove_legacy_group_entries.sh index 07f395f..ea8ed39 100644 --- a/tests/hardening/6.2.4_remove_legacy_group_entries.sh +++ b/tests/hardening/6.2.4_remove_legacy_group_entries.sh @@ -9,7 +9,7 @@ test_audit() { local test_user="testetcgroupuser" - describe Tests purposely failing + describe Tests purposely failing useradd "$test_user" sed -i "s/$test_user:x/+:$test_user:x/" /etc/group register_test retvalshouldbe 1 @@ -17,7 +17,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/6.2.5_find_0_uid_non_root_account.sh b/tests/hardening/6.2.5_find_0_uid_non_root_account.sh index 40bd8a6..a54b7de 100644 --- a/tests/hardening/6.2.5_find_0_uid_non_root_account.sh +++ b/tests/hardening/6.2.5_find_0_uid_non_root_account.sh @@ -16,7 +16,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # shellcheck disable=2016 - echo 'EXCEPTIONS="$EXCEPTIONS usertest1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + echo 'EXCEPTIONS="$EXCEPTIONS usertest1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg describe Adding exceptions register_test retvalshouldbe 0 @@ -26,4 +26,3 @@ test_audit() { # Cleanup userdel -f usertest1 } - diff --git a/tests/hardening/6.2.6_sanitize_root_path.sh b/tests/hardening/6.2.6_sanitize_root_path.sh index 92a2080..d357492 100644 --- a/tests/hardening/6.2.6_sanitize_root_path.sh +++ b/tests/hardening/6.2.6_sanitize_root_path.sh @@ -26,7 +26,7 @@ test_audit() { run noncompliant path="$PATH:." /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe Tests purposely failing - mkdir -m 770 "$dir" + mkdir -m 770 "$dir" register_test retvalshouldbe 1 register_test contain "Group Write permission set on directory $dir" run noncompliant path="$PATH:$dir" /opt/debian-cis/bin/hardening/"${script}".sh --audit-all diff --git a/tests/hardening/6.2.7_users_valid_homedir.sh b/tests/hardening/6.2.7_users_valid_homedir.sh index ce27f50..f406dde 100755 --- a/tests/hardening/6.2.7_users_valid_homedir.sh +++ b/tests/hardening/6.2.7_users_valid_homedir.sh @@ -16,4 +16,4 @@ test_audit() { # cleanup userdel "$test_user" -} \ No newline at end of file +} diff --git a/tests/hardening/6.2.8_check_user_dir_perm.sh b/tests/hardening/6.2.8_check_user_dir_perm.sh index 6c4226f..da09e25 100644 --- a/tests/hardening/6.2.8_check_user_dir_perm.sh +++ b/tests/hardening/6.2.8_check_user_dir_perm.sh @@ -9,7 +9,7 @@ test_audit() { local test_user="testhomepermuser" - describe Tests purposely failing + describe Tests purposely failing useradd --create-home "$test_user" chmod 777 /home/"$test_user" register_test retvalshouldbe 1 @@ -21,7 +21,7 @@ test_audit() { run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true describe Checking resolved state diff --git a/tests/hardening/6.2.9_users_valid_homedir.sh b/tests/hardening/6.2.9_users_valid_homedir.sh index 82cb707..4082d63 100644 --- a/tests/hardening/6.2.9_users_valid_homedir.sh +++ b/tests/hardening/6.2.9_users_valid_homedir.sh @@ -4,7 +4,7 @@ test_audit() { describe Running void to generate the conf file that will later be edited # shellcheck disable=2154 /opt/debian-cis/bin/hardening/"${script}".sh || true - echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >> /opt/debian-cis/etc/conf.d/"${script}".cfg + echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >>/opt/debian-cis/etc/conf.d/"${script}".cfg describe Running on blank host register_test retvalshouldbe 0 @@ -19,11 +19,10 @@ test_audit() { chown root:root /home/"$test_user" register_test retvalshouldbe 1 register_test contain "[ KO ] The home directory (/home/$test_user) of user testhomeuser is owned by root" - run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all describe correcting situation - echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" > /opt/debian-cis/etc/conf.d/"${script}".cfg - + echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" >/opt/debian-cis/etc/conf.d/"${script}".cfg describe Checking resolved state register_test retvalshouldbe 0 diff --git a/tests/hardening/99.1_timeout_tty.sh b/tests/hardening/99.1_timeout_tty.sh index 7b84d5f..6868a51 100644 --- a/tests/hardening/99.1_timeout_tty.sh +++ b/tests/hardening/99.1_timeout_tty.sh @@ -7,7 +7,7 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - echo "TMOUT=600" > /etc/profile.d/CIS_99.1_timeout.sh + echo "TMOUT=600" >/etc/profile.d/CIS_99.1_timeout.sh describe compliant register_test retvalshouldbe 0 @@ -16,5 +16,5 @@ test_audit() { # TODO fill comprehensive tests # Cleanup - rm /etc/profile.d/CIS_99.1_timeout.sh + rm /etc/profile.d/CIS_99.1_timeout.sh } diff --git a/tests/hardening/99.2_disable_usb_devices.sh b/tests/hardening/99.2_disable_usb_devices.sh index ac6df4e..69db7fe 100644 --- a/tests/hardening/99.2_disable_usb_devices.sh +++ b/tests/hardening/99.2_disable_usb_devices.sh @@ -13,7 +13,7 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - echo 'ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' > /etc/udev/rules.d/10-CIS_99.2_usb_devices.sh + echo 'ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' >/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh describe compliant register_test retvalshouldbe 0 @@ -22,6 +22,6 @@ test_audit() { # TODO fill comprehensive tests # Cleanup - rm /etc/udev/rules.d/10-CIS_99.2_usb_devices.sh + rm /etc/udev/rules.d/10-CIS_99.2_usb_devices.sh fi } diff --git a/tests/hardening/99.3.1_acc_shadow_sha512.sh b/tests/hardening/99.3.1_acc_shadow_sha512.sh index 40b2251..9597f48 100644 --- a/tests/hardening/99.3.1_acc_shadow_sha512.sh +++ b/tests/hardening/99.3.1_acc_shadow_sha512.sh @@ -22,7 +22,7 @@ test_audit() { run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all mv /tmp/shadow.bak /etc/shadow - chpasswd << EOF + chpasswd <> /opt/debian-cis/etc/conf.d/"${script}".cfg + echo 'EXCEPT="$EXCEPT debian"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg describe Running on blank host register_test retvalshouldbe 0 @@ -15,15 +15,14 @@ test_audit() { # Proceed to operation that will end up to a non compliant system useradd -s /bin/bash jeantestuser - echo 'jeantestuser ALL = (ALL) NOPASSWD:ALL' >> /etc/sudoers.d/jeantestuser + echo 'jeantestuser ALL = (ALL) NOPASSWD:ALL' >>/etc/sudoers.d/jeantestuser describe Fail: Not compliant system register_test retvalshouldbe 1 register_test contain "[ KO ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser" run userallcmd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # shellcheck disable=2016 - echo 'EXCEPT="$EXCEPT debian jeantestuser"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + echo 'EXCEPT="$EXCEPT debian jeantestuser"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg describe Adding jeantestuser to exceptions register_test retvalshouldbe 0 register_test contain "[ OK ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser but was EXCUSED because jeantestuser is part of exceptions" @@ -32,4 +31,3 @@ test_audit() { rm -f /etc/sudoers.d/jeantestuser userdel jeantestuser } - diff --git a/tests/hardening/99.3.4_acc_logindefs_sha512.sh b/tests/hardening/99.3.4_acc_logindefs_sha512.sh index 86999b5..80bfe07 100644 --- a/tests/hardening/99.3.4_acc_logindefs_sha512.sh +++ b/tests/hardening/99.3.4_acc_logindefs_sha512.sh @@ -36,4 +36,3 @@ test_audit() { register_test retvalshouldbe 0 run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/99.5.1_ssh_auth_pubk_only.sh b/tests/hardening/99.5.1_ssh_auth_pubk_only.sh index 561fd14..54bede0 100644 --- a/tests/hardening/99.5.1_ssh_auth_pubk_only.sh +++ b/tests/hardening/99.5.1_ssh_auth_pubk_only.sh @@ -27,4 +27,3 @@ test_audit() { register_test contain "[ OK ] ^GSSAPIKeyExchange[[:space:]]+no is present in /etc/ssh/sshd_config" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/99.5.2.3_ssh_cry_rekey.sh b/tests/hardening/99.5.2.3_ssh_cry_rekey.sh index 3a918f7..62b8308 100644 --- a/tests/hardening/99.5.2.3_ssh_cry_rekey.sh +++ b/tests/hardening/99.5.2.3_ssh_cry_rekey.sh @@ -20,4 +20,3 @@ test_audit() { register_test contain "[ OK ] ^RekeyLimit[[:space:]]*512M\s+6h is present in /etc/ssh/sshd_config" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/99.5.3_ssh_disable_features.sh b/tests/hardening/99.5.3_ssh_disable_features.sh index 4c03694..14188a0 100644 --- a/tests/hardening/99.5.3_ssh_disable_features.sh +++ b/tests/hardening/99.5.3_ssh_disable_features.sh @@ -26,4 +26,3 @@ test_audit() { register_test contain "[ OK ] ^GatewayPorts[[:space:]]*no is present in /etc/ssh/sshd_config" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/99.5.4_ssh_keys_from.sh b/tests/hardening/99.5.4_ssh_keys_from.sh index 22848ec..ec2b111 100644 --- a/tests/hardening/99.5.4_ssh_keys_from.sh +++ b/tests/hardening/99.5.4_ssh_keys_from.sh @@ -1,8 +1,8 @@ # shellcheck shell=bash # run-shellcheck -test_audit() { +test_audit() { # shellcheck disable=2154 - echo 'EXCEPTION_USER="root"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + echo 'EXCEPTION_USER="root"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg skip_tests # shellcheck disable=2154 @@ -25,58 +25,56 @@ test_audit() { run emptyauthkey /opt/debian-cis/bin/hardening/"${script}".sh --audit-all ssh-keygen -N "" -t ed25519 -f /tmp/key1 - cat /tmp/key1.pub >> /home/secaudit/.ssh/authorized_keys2 + cat /tmp/key1.pub >>/home/secaudit/.ssh/authorized_keys2 describe Key without from field register_test retvalshouldbe 1 run keynofrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all { - echo -n 'from="127.0.0.1" '; - cat /tmp/key1.pub; - } > /home/secaudit/.ssh/authorized_keys2 + echo -n 'from="127.0.0.1" ' + cat /tmp/key1.pub + } >/home/secaudit/.ssh/authorized_keys2 describe Key with from, no ip check register_test retvalshouldbe 0 run keyfrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # shellcheck disable=2016 - echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg { - echo -n 'from="10.0.1.2" '; - cat /tmp/key1.pub; - } >> /home/secaudit/.ssh/authorized_keys2 + echo -n 'from="10.0.1.2" ' + cat /tmp/key1.pub + } >>/home/secaudit/.ssh/authorized_keys2 describe Key with from, filled allowed IPs, one bad ip register_test retvalshouldbe 1 run badfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # shellcheck disable=2016 - echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + echo 'ALLOWED_IPS="$ALLOWED_IPS 10.0.1.2"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg describe Key with from, filled allowed IPs, all IPs allowed register_test retvalshouldbe 0 run allwdfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # shellcheck disable=2016 - echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg { - echo -n 'from="10.0.1.2",command="echo bla" '; - cat /tmp/key1.pub; - echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" '; - cat /tmp/key1.pub; - } >> /home/secaudit/.ssh/authorized_keys2 + echo -n 'from="10.0.1.2",command="echo bla" ' + cat /tmp/key1.pub + echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" ' + cat /tmp/key1.pub + } >>/home/secaudit/.ssh/authorized_keys2 describe Key with from and command options register_test retvalshouldbe 0 run keyfromcommand /opt/debian-cis/bin/hardening/"${script}".sh --audit-all useradd -s /bin/bash -m jeantest2 # shellcheck disable=2016 - echo 'USERS_TO_CHECK="jeantest2 secaudit"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + echo 'USERS_TO_CHECK="jeantest2 secaudit"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg describe Check only specified user register_test retvalshouldbe 0 run checkuser /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # Cleanup userdel jeantestuser userdel -r jeantest2 rm -f /tmp/key1 /tmp/key1.pub } - diff --git a/tests/hardening/99.5.5_ssh_strict_modes.sh b/tests/hardening/99.5.5_ssh_strict_modes.sh index f247cbe..e10dc0c 100644 --- a/tests/hardening/99.5.5_ssh_strict_modes.sh +++ b/tests/hardening/99.5.5_ssh_strict_modes.sh @@ -21,4 +21,3 @@ test_audit() { register_test contain "[ OK ] ^StrictModes[[:space:]]*yes is present in /etc/ssh/sshd_config" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/99.5.6_ssh_sys_accept_env.sh b/tests/hardening/99.5.6_ssh_sys_accept_env.sh index fcd5503..03d219d 100644 --- a/tests/hardening/99.5.6_ssh_sys_accept_env.sh +++ b/tests/hardening/99.5.6_ssh_sys_accept_env.sh @@ -14,7 +14,6 @@ test_audit() { register_test contain "[ KO ] ^\s*AcceptEnv\s+LANG LC_\* is not present in /etc/ssh/sshd_config" run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - describe Correcting situation # `apply` performs a service reload after each change in the config file # the service needs to be started for the reload to succeed @@ -28,4 +27,3 @@ test_audit() { register_test contain "[ OK ] ^\s*AcceptEnv\s+LANG LC_\* is present in /etc/ssh/sshd_config" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/99.5.7_ssh_sys_no_legacy.sh b/tests/hardening/99.5.7_ssh_sys_no_legacy.sh index 34a19e2..7aabbf4 100644 --- a/tests/hardening/99.5.7_ssh_sys_no_legacy.sh +++ b/tests/hardening/99.5.7_ssh_sys_no_legacy.sh @@ -6,4 +6,3 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/99.5.8_ssh_sys_sandbox.sh b/tests/hardening/99.5.8_ssh_sys_sandbox.sh index c2388a9..398724d 100644 --- a/tests/hardening/99.5.8_ssh_sys_sandbox.sh +++ b/tests/hardening/99.5.8_ssh_sys_sandbox.sh @@ -1,6 +1,6 @@ # shellcheck shell=bash # run-shellcheck -test_audit() { +test_audit() { describe Running on blank host register_test retvalshouldbe 1 register_test contain "openssh-server is installed" @@ -20,4 +20,3 @@ test_audit() { register_test contain "[ OK ] ^UsePrivilegeSeparation[[:space:]]*sandbox is present in /etc/ssh/sshd_config" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/hardening/99.5.9_ssh_loglevel.sh b/tests/hardening/99.5.9_ssh_loglevel.sh index 880636a..823882b 100644 --- a/tests/hardening/99.5.9_ssh_loglevel.sh +++ b/tests/hardening/99.5.9_ssh_loglevel.sh @@ -20,4 +20,3 @@ test_audit() { register_test contain "[ OK ] ^LogLevel[[:space:]]*VERBOSE is present in /etc/ssh/sshd_config" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } - diff --git a/tests/launch_tests.sh b/tests/launch_tests.sh index cafe367..737ad38 100755 --- a/tests/launch_tests.sh +++ b/tests/launch_tests.sh @@ -63,8 +63,7 @@ skip() { printf "%b %b\n" "\033[30m\e[43m[SKIP]\033[0m" "$*" >&2 } # retrieves audit script logfile -get_stdout() -{ +get_stdout() { cat "$outdir"/"$usecase_name".log } @@ -107,7 +106,7 @@ play_consistency_tests() { retfile_root=$outdir/${usecase_name_root}.retval retfile_sudo=$outdir/${usecase_name_sudo}.retval cmp "$retfile_root" "$retfile_sudo" && ret=0 || ret=1 - if [[ ! 0 -eq $ret ]] ; then + if [[ ! 0 -eq $ret ]]; then fail "$name" return values differ diff "$retfile_root" "$retfile_sudo" || true consist_test=1 @@ -118,28 +117,28 @@ play_consistency_tests() { retfile_root=$outdir/${usecase_name_root}.log retfile_sudo=$outdir/${usecase_name_sudo}.log cmp "$retfile_root" "$retfile_sudo" && ret=0 || ret=1 - if [[ ! 0 -eq $ret ]] ; then + if [[ ! 0 -eq $ret ]]; then fail "$name" logs differ - diff "$retfile_root" "$retfile_sudo" || true + diff "$retfile_root" "$retfile_sudo" || true consist_test=1 else ok "$name logs are identical" fi if [ 1 -eq $consist_test ]; then - nbfailedconsist=$(( nbfailedconsist + 1 )) + nbfailedconsist=$((nbfailedconsist + 1)) listfailedconsist="$listfailedconsist $(make_usecase_name "$usecase" consist)" fi } # Actually runs one signel audit script -_run() -{ +_run() { usecase_name=$1 shift printf "\033[34m*** [%03d] %s \033[0m(%s)\n" "$testno" "$usecase_name" "$*" - bash -c "$*" >"$outdir/$usecase_name.log" && true; echo $? > "$outdir/$usecase_name.retval" - ret=$(< "$outdir"/"$usecase_name".retval) + bash -c "$*" >"$outdir/$usecase_name.log" && true + echo $? >"$outdir/$usecase_name.retval" + ret=$(<"$outdir"/"$usecase_name".retval) get_stdout } @@ -153,18 +152,17 @@ fi ################### # Execution start # ################### -printf "\033[1;36m###\n### %s\n### \033[0m\n" "Starting debian-cis functional testing" +printf "\033[1;36m###\n### %s\n### \033[0m\n" "Starting debian-cis functional testing" # if no scripts were passed as arguments, list all available test scenarii to be played if [ $# -eq 0 ]; then tests_list=$(ls -v "$(dirname "$0")"/hardening/) - testcount=$(wc -l <<< "$tests_list") + testcount=$(wc -l <<<"$tests_list") else tests_list="$*" testcount=$# fi - for test_file in $tests_list; do test_file_path=$(dirname "$0")/hardening/"$test_file" if [ ! -f "$test_file_path" ]; then @@ -176,9 +174,9 @@ for test_file in $tests_list; do # source test scenario file to add `test_audit` func # shellcheck disable=1090 . "$test_file_path" - testno=$(( testno + 1 )) + testno=$((testno + 1)) # shellcheck disable=2001 - name="$(echo "${test_file%%.sh}" | sed 's/\d+\.\d+_//' )" + name="$(echo "${test_file%%.sh}" | sed 's/\d+\.\d+_//')" printf "\033[1;36m### [%03d/%03d] %s \033[0m\n" "$testno" "$testcount" "$test_file" # test_audit is the function defined in $test_file, that carries the actual functional tests for this script test_audit @@ -190,22 +188,22 @@ for test_file in $tests_list; do echo "" done -printf "\033[1;36m###\n### %s \033[0m\n" "Test report" -if [ $((nbfailedret + nbfailedgrep + nbfailedconsist )) -eq 0 ] ; then +printf "\033[1;36m###\n### %s \033[0m\n" "Test report" +if [ $((nbfailedret + nbfailedgrep + nbfailedconsist)) -eq 0 ]; then echo -e "\033[42m\033[30mAll tests succeeded :)\033[0m" else ( - echo -e "\033[41mOne or more tests failed :(\033[0m" - echo -e "- $nbfailedret unexpected return values ${listfailedret}" - echo -e "- $nbfailedgrep unexpected text values $listfailedgrep" - echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist" + echo -e "\033[41mOne or more tests failed :(\033[0m" + echo -e "- $nbfailedret unexpected return values ${listfailedret}" + echo -e "- $nbfailedgrep unexpected text values $listfailedgrep" + echo -e "- $nbfailedconsist root/sudo consistency $listfailedconsist" ) | tee "$outdir"/summary fi echo set +e set +u -let totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist )) +let totalerrors=$((nbfailedret + nbfailedgrep + nbfailedconsist)) # leave `exit 255` for runtime errors [ $totalerrors -ge 255 ] && totalerrors=254 exit $totalerrors diff --git a/tests/lib.sh b/tests/lib.sh index 37d38a6..036207d 100644 --- a/tests/lib.sh +++ b/tests/lib.sh @@ -18,24 +18,23 @@ describe() { register_test() { export numtest=0 if [[ "notempty" == "${REGISTERED_TESTS[*]:+notempty}" ]]; then - numtest=${#REGISTERED_TESTS[@]} - fi - REGISTERED_TESTS[numtest]="$*" + numtest=${#REGISTERED_TESTS[@]} + fi + REGISTERED_TESTS[numtest]="$*" } # retvalshouldbe checks that the audit return value equals the one passed as parameter # retvalshoudbe -retvalshouldbe() -{ +retvalshouldbe() { # shellcheck disable=2154 retfile=$outdir/${usecase_name}.retval shouldbe=$1 - got=$(< "$retfile") - if [ "$got" = "$shouldbe" ] ; then + got=$(<"$retfile") + if [ "$got" = "$shouldbe" ]; then ok "RETURN VALUE" "($shouldbe)" else if [ 0 -eq "$dismiss_count" ]; then - nbfailedret=$(( nbfailedret + 1 )) + nbfailedret=$((nbfailedret + 1)) listfailedret="$listfailedret $usecase_name" fi fail "RETURN VALUE" "(got $got instead of $shouldbe)" @@ -44,10 +43,9 @@ retvalshouldbe() # contain looks for a string in audit logfile # contain [REGEX] -contain() -{ +contain() { local specialoption='' - if [ "$1" != "REGEX" ] ; then + if [ "$1" != "REGEX" ]; then specialoption='-F' else specialoption='-E' @@ -59,8 +57,8 @@ contain() ok "MUST CONTAIN" "($pattern)" else if [ 0 -eq "$dismiss_count" ]; then - nbfailedgrep=$(( nbfailedgrep + 1 )) - listfailedgrep="$listfailedgrep $usecase_name" + nbfailedgrep=$((nbfailedgrep + 1)) + listfailedgrep="$listfailedgrep $usecase_name" fi fail "MUST CONTAIN" "($pattern)" fi @@ -95,4 +93,3 @@ run() { play_consistency_tests clear_registered_tests } - diff --git a/tests/run_all_targets.sh b/tests/run_all_targets.sh index ffc5e84..6a81321 100755 --- a/tests/run_all_targets.sh +++ b/tests/run_all_targets.sh @@ -30,27 +30,36 @@ eval set -- "$OPTIONS" # Treating options while true; do case "$1" in - --nodel ) nodel=1; shift ;; - --nowait ) nowait=1; shift ;; - -- ) shift; break ;; - * ) break ;; + --nodel) + nodel=1 + shift + ;; + --nowait) + nowait=1 + shift + ;; + --) + shift + break + ;; + *) break ;; esac done # Execution summary if [ "$nodel" -eq 1 ]; then - echo -e "\e[34mLog directory: $tmpdir \e[0m" + echo -e "\e[34mLog directory: $tmpdir \e[0m" fi if [ "$nowait" -eq 1 ]; then - echo -e "\e[34mRunning in non-interactive mode\e[0m" + echo -e "\e[34mRunning in non-interactive mode\e[0m" fi # Actual execution # Loops over found targets and runs docker_build_and_run_tests for target in $("$(dirname "$0")"/docker_build_and_run_tests.sh 2>&1 | grep "Supported" | cut -d ':' -f 2); do echo "Running $target $*" - "$(dirname "$0")"/docker_build_and_run_tests.sh "$target" "$@" 2>&1 | \ - tee "${tmpdir}"/"${target}" | \ + "$(dirname "$0")"/docker_build_and_run_tests.sh "$target" "$@" 2>&1 | + tee "${tmpdir}"/"${target}" | grep -q "All tests succeeded" ret=$? if [[ 0 -eq $ret ]]; then @@ -61,7 +70,7 @@ for target in $("$(dirname "$0")"/docker_build_and_run_tests.sh 2>&1 | grep "Sup fi done -if [[ ! -z "$failedtarget" && "$nowait" -eq 0 ]]; then +if [[ ! -z "$failedtarget" && "$nowait" -eq 0 ]]; then echo -e "\nPress \e[1mENTER\e[0m to display failed test logs" echo -e "Use \e[1m:n\e[0m (next) and \e[1m:p\e[0m (previous) to navigate between log files" echo -e "and \e[1mq\e[0m to quit"