mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-24 06:21:24 +01:00
IMP(shfmt): add shell formatter
This commit is contained in:
parent
bc1aa65b91
commit
3a342b784a
1
.gitignore
vendored
1
.gitignore
vendored
@ -0,0 +1 @@
|
|||||||
|
tmp/shfmt
|
140
bin/hardening.sh
140
bin/hardening.sh
@ -28,7 +28,7 @@ SUDO_MODE=''
|
|||||||
BATCH_MODE=''
|
BATCH_MODE=''
|
||||||
|
|
||||||
usage() {
|
usage() {
|
||||||
cat << EOF
|
cat <<EOF
|
||||||
$LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
|
$LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
|
||||||
|
|
||||||
--help -h
|
--help -h
|
||||||
@ -117,48 +117,48 @@ declare -a TEST_LIST ALLOWED_SERVICES_LIST
|
|||||||
while [[ $# > 0 ]]; do
|
while [[ $# > 0 ]]; do
|
||||||
ARG="$1"
|
ARG="$1"
|
||||||
case $ARG in
|
case $ARG in
|
||||||
--audit)
|
--audit)
|
||||||
AUDIT=1
|
AUDIT=1
|
||||||
;;
|
;;
|
||||||
--audit-all)
|
--audit-all)
|
||||||
AUDIT_ALL=1
|
AUDIT_ALL=1
|
||||||
;;
|
;;
|
||||||
--audit-all-enable-passed)
|
--audit-all-enable-passed)
|
||||||
AUDIT_ALL_ENABLE_PASSED=1
|
AUDIT_ALL_ENABLE_PASSED=1
|
||||||
;;
|
;;
|
||||||
--apply)
|
--apply)
|
||||||
APPLY=1
|
APPLY=1
|
||||||
;;
|
;;
|
||||||
--allow-service-list)
|
--allow-service-list)
|
||||||
ALLOW_SERVICE_LIST=1
|
ALLOW_SERVICE_LIST=1
|
||||||
;;
|
;;
|
||||||
--create-config-files-only)
|
--create-config-files-only)
|
||||||
CREATE_CONFIG=1
|
CREATE_CONFIG=1
|
||||||
;;
|
;;
|
||||||
--allow-service)
|
--allow-service)
|
||||||
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
|
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
--set-hardening-level)
|
--set-hardening-level)
|
||||||
SET_HARDENING_LEVEL="$2"
|
SET_HARDENING_LEVEL="$2"
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
--only)
|
--only)
|
||||||
TEST_LIST[${#TEST_LIST[@]}]="$2"
|
TEST_LIST[${#TEST_LIST[@]}]="$2"
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
--sudo)
|
--sudo)
|
||||||
SUDO_MODE='--sudo'
|
SUDO_MODE='--sudo'
|
||||||
;;
|
;;
|
||||||
--batch)
|
--batch)
|
||||||
BATCH_MODE='--batch'
|
BATCH_MODE='--batch'
|
||||||
LOGLEVEL=ok
|
LOGLEVEL=ok
|
||||||
;;
|
;;
|
||||||
-h|--help)
|
-h | --help)
|
||||||
usage
|
usage
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
usage
|
usage
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
shift
|
shift
|
||||||
@ -174,20 +174,20 @@ if [ -r /etc/default/cis-hardening ]; then
|
|||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
|
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
|
||||||
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
|
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
|
||||||
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
||||||
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
|
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
|
||||||
|
|
||||||
if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
|
if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
|
||||||
|
|
||||||
# If --allow-service-list is specified, don't run anything, just list the supported services
|
# If --allow-service-list is specified, don't run anything, just list the supported services
|
||||||
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
|
if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
|
||||||
declare -a HARDENING_EXCEPTIONS_LIST
|
declare -a HARDENING_EXCEPTIONS_LIST
|
||||||
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||||
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
|
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
|
||||||
@ -198,8 +198,8 @@ if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# If --set-hardening-level is specified, don't run anything, just apply config for each script
|
# If --set-hardening-level is specified, don't run anything, just apply config for each script
|
||||||
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
|
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ]; then
|
||||||
if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then
|
if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then
|
||||||
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
|
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
@ -207,7 +207,7 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
|
|||||||
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||||
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
|
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
|
||||||
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
|
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
|
||||||
if [ -z "$script_level" ] ; then
|
if [ -z "$script_level" ]; then
|
||||||
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
|
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
@ -226,11 +226,11 @@ fi
|
|||||||
|
|
||||||
# Parse every scripts and execute them in the required mode
|
# Parse every scripts and execute them in the required mode
|
||||||
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||||
if [ ${#TEST_LIST[@]} -gt 0 ] ; then
|
if [ ${#TEST_LIST[@]} -gt 0 ]; then
|
||||||
# --only X has been specified at least once, is this script in my list ?
|
# --only X has been specified at least once, is this script in my list ?
|
||||||
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
|
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename $SCRIPT)")
|
||||||
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
|
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
|
||||||
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
|
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
|
||||||
# not in the list
|
# not in the list
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
@ -258,30 +258,30 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
|||||||
|
|
||||||
debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
|
debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
|
||||||
case $SCRIPT_EXITCODE in
|
case $SCRIPT_EXITCODE in
|
||||||
0)
|
0)
|
||||||
debug "$SCRIPT passed"
|
debug "$SCRIPT passed"
|
||||||
PASSED_CHECKS=$((PASSED_CHECKS+1))
|
PASSED_CHECKS=$((PASSED_CHECKS + 1))
|
||||||
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then
|
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
|
||||||
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
|
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
|
||||||
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
|
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
|
||||||
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
|
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
1)
|
1)
|
||||||
debug "$SCRIPT failed"
|
debug "$SCRIPT failed"
|
||||||
FAILED_CHECKS=$((FAILED_CHECKS+1))
|
FAILED_CHECKS=$((FAILED_CHECKS + 1))
|
||||||
;;
|
;;
|
||||||
2)
|
2)
|
||||||
debug "$SCRIPT is disabled"
|
debug "$SCRIPT is disabled"
|
||||||
DISABLED_CHECKS=$((DISABLED_CHECKS+1))
|
DISABLED_CHECKS=$((DISABLED_CHECKS + 1))
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
TOTAL_CHECKS=$((TOTAL_CHECKS+1))
|
TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
|
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS))
|
||||||
|
|
||||||
if [ $BATCH_MODE ]; then
|
if [ $BATCH_MODE ]; then
|
||||||
BATCH_SUMMARY="AUDIT_SUMMARY "
|
BATCH_SUMMARY="AUDIT_SUMMARY "
|
||||||
@ -289,7 +289,7 @@ if [ $BATCH_MODE ]; then
|
|||||||
BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
|
BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
|
||||||
BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
|
BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
|
||||||
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
|
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
|
||||||
CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
|
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
|
||||||
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
|
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
|
||||||
else
|
else
|
||||||
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
|
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
|
||||||
@ -297,17 +297,17 @@ if [ $BATCH_MODE ]; then
|
|||||||
becho $BATCH_SUMMARY
|
becho $BATCH_SUMMARY
|
||||||
else
|
else
|
||||||
printf "%40s\n" "################### SUMMARY ###################"
|
printf "%40s\n" "################### SUMMARY ###################"
|
||||||
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
|
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
|
||||||
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
|
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
|
||||||
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
|
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
|
||||||
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
|
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
|
||||||
|
|
||||||
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<< "scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
|
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
|
||||||
CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
|
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
|
||||||
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
|
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
|
||||||
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
|
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
|
||||||
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
|
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
|
||||||
else
|
else
|
||||||
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
|
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of freevxfs filesystems."
|
|||||||
KERNEL_OPTION="CONFIG_VXFS_FS"
|
KERNEL_OPTION="CONFIG_VXFS_FS"
|
||||||
MODULE_NAME="freevxfs"
|
MODULE_NAME="freevxfs"
|
||||||
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
@ -32,7 +31,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||||
@ -48,18 +47,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of jffs2 filesystems."
|
|||||||
KERNEL_OPTION="CONFIG_JFFS2_FS"
|
KERNEL_OPTION="CONFIG_JFFS2_FS"
|
||||||
MODULE_NAME="jffs2"
|
MODULE_NAME="jffs2"
|
||||||
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
@ -32,7 +31,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||||
@ -48,18 +47,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of hfs filesystems."
|
|||||||
KERNEL_OPTION="CONFIG_HFS_FS"
|
KERNEL_OPTION="CONFIG_HFS_FS"
|
||||||
MODULE_FILE="hfs"
|
MODULE_FILE="hfs"
|
||||||
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
|
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
@ -32,7 +31,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||||
@ -48,18 +47,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of hfsplus filesystems."
|
|||||||
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
|
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
|
||||||
MODULE_FILE="hfsplus"
|
MODULE_FILE="hfsplus"
|
||||||
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
|
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
@ -32,7 +31,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||||
@ -48,18 +47,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of udf filesystems."
|
|||||||
KERNEL_OPTION="CONFIG_UDF_FS"
|
KERNEL_OPTION="CONFIG_UDF_FS"
|
||||||
MODULE_FILE="udf"
|
MODULE_FILE="udf"
|
||||||
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
|
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
@ -32,7 +31,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||||
@ -48,18 +47,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of cramfs filesystems."
|
|||||||
KERNEL_OPTION="CONFIG_CRAMFS"
|
KERNEL_OPTION="CONFIG_CRAMFS"
|
||||||
MODULE_NAME="cramfs"
|
MODULE_NAME="cramfs"
|
||||||
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
@ -33,7 +32,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||||
@ -50,18 +49,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of squashfs filesytems."
|
|||||||
KERNEL_OPTION="CONFIG_SQUASHFS"
|
KERNEL_OPTION="CONFIG_SQUASHFS"
|
||||||
MODULE_FILE="squashfs"
|
MODULE_FILE="squashfs"
|
||||||
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
|
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
crit "$KERNEL_OPTION is enabled!"
|
crit "$KERNEL_OPTION is enabled!"
|
||||||
@ -33,7 +32,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
is_kernel_option_enabled "$KERNEL_OPTION"
|
is_kernel_option_enabled "$KERNEL_OPTION"
|
||||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||||
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
|
||||||
@ -50,18 +49,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ PARTITION="/var/tmp"
|
|||||||
OPTION="noexec"
|
OPTION="noexec"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying that $PARTITION is a partition"
|
info "Verifying that $PARTITION is a partition"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
is_a_partition "$PARTITION"
|
is_a_partition "$PARTITION"
|
||||||
@ -49,7 +49,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 2 ]; then
|
elif [ "$FNRET" = 2 ]; then
|
||||||
@ -73,18 +73,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -21,7 +21,7 @@ DESCRIPTION="/var/log on separate partition."
|
|||||||
PARTITION="/var/log"
|
PARTITION="/var/log"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying that $PARTITION is a partition"
|
info "Verifying that $PARTITION is a partition"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
is_a_partition "$PARTITION"
|
is_a_partition "$PARTITION"
|
||||||
@ -41,7 +41,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 2 ]; then
|
elif [ "$FNRET" = 2 ]; then
|
||||||
@ -60,18 +60,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="/var/log/audit on a separate partition."
|
|||||||
PARTITION="/var/log/audit"
|
PARTITION="/var/log/audit"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying that $PARTITION is a partition"
|
info "Verifying that $PARTITION is a partition"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
is_a_partition "$PARTITION"
|
is_a_partition "$PARTITION"
|
||||||
@ -40,7 +40,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 2 ]; then
|
elif [ "$FNRET" = 2 ]; then
|
||||||
@ -59,18 +59,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -21,7 +21,7 @@ DESCRIPTION="/home on a separate partition."
|
|||||||
PARTITION="/home"
|
PARTITION="/home"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying that $PARTITION is a partition"
|
info "Verifying that $PARTITION is a partition"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
is_a_partition "$PARTITION"
|
is_a_partition "$PARTITION"
|
||||||
@ -41,7 +41,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 2 ]; then
|
elif [ "$FNRET" = 2 ]; then
|
||||||
@ -60,18 +60,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ PARTITION="/home"
|
|||||||
OPTION="nodev"
|
OPTION="nodev"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying that $PARTITION is a partition"
|
info "Verifying that $PARTITION is a partition"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
is_a_partition "$PARTITION"
|
is_a_partition "$PARTITION"
|
||||||
@ -49,7 +49,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 2 ]; then
|
elif [ "$FNRET" = 2 ]; then
|
||||||
@ -73,18 +73,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ PARTITION="/run/shm"
|
|||||||
OPTION="nodev"
|
OPTION="nodev"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying that $PARTITION is a partition"
|
info "Verifying that $PARTITION is a partition"
|
||||||
PARTITION=$(readlink -e "$PARTITION")
|
PARTITION=$(readlink -e "$PARTITION")
|
||||||
FNRET=0
|
FNRET=0
|
||||||
@ -50,7 +50,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 2 ]; then
|
elif [ "$FNRET" = 2 ]; then
|
||||||
@ -74,12 +74,12 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@ PARTITION="/run/shm"
|
|||||||
OPTION="nosuid"
|
OPTION="nosuid"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying that $PARTITION is a partition"
|
info "Verifying that $PARTITION is a partition"
|
||||||
PARTITION=$(readlink -e "$PARTITION")
|
PARTITION=$(readlink -e "$PARTITION")
|
||||||
FNRET=0
|
FNRET=0
|
||||||
@ -50,7 +50,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 2 ]; then
|
elif [ "$FNRET" = 2 ]; then
|
||||||
@ -74,12 +74,12 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@ PARTITION="/run/shm"
|
|||||||
OPTION="noexec"
|
OPTION="noexec"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying that $PARTITION is a partition"
|
info "Verifying that $PARTITION is a partition"
|
||||||
PARTITION=$(readlink -e "$PARTITION")
|
PARTITION=$(readlink -e "$PARTITION")
|
||||||
FNRET=0
|
FNRET=0
|
||||||
@ -50,7 +50,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 2 ]; then
|
elif [ "$FNRET" = 2 ]; then
|
||||||
@ -74,12 +74,12 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -24,7 +24,7 @@ PARTITION="/media\S*"
|
|||||||
OPTION="nodev"
|
OPTION="nodev"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying if there is $PARTITION like partition"
|
info "Verifying if there is $PARTITION like partition"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
is_a_partition "$PARTITION"
|
is_a_partition "$PARTITION"
|
||||||
@ -44,7 +44,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 1 ]; then
|
elif [ "$FNRET" = 1 ]; then
|
||||||
@ -61,18 +61,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -24,7 +24,7 @@ PARTITION="/media\S*"
|
|||||||
OPTION="nosuid"
|
OPTION="nosuid"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying if there is $PARTITION like partition"
|
info "Verifying if there is $PARTITION like partition"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
is_a_partition "$PARTITION"
|
is_a_partition "$PARTITION"
|
||||||
@ -44,7 +44,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 1 ]; then
|
elif [ "$FNRET" = 1 ]; then
|
||||||
@ -61,18 +61,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -24,7 +24,7 @@ PARTITION="/media\S*"
|
|||||||
OPTION="noexec"
|
OPTION="noexec"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying if there is $PARTITION like partition"
|
info "Verifying if there is $PARTITION like partition"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
is_a_partition "$PARTITION"
|
is_a_partition "$PARTITION"
|
||||||
@ -44,7 +44,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 1 ]; then
|
elif [ "$FNRET" = 1 ]; then
|
||||||
@ -61,18 +61,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -18,13 +18,13 @@ HARDENING_LEVEL=2
|
|||||||
DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
|
DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Checking if setuid is set on world writable Directories"
|
info "Checking if setuid is set on world writable Directories"
|
||||||
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
|
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
|
||||||
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||||
if [ ! -z "$RESULT" ]; then
|
if [ ! -z "$RESULT" ]; then
|
||||||
crit "Some world writable directories are not on sticky bit mode!"
|
crit "Some world writable directories are not on sticky bit mode!"
|
||||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
|
||||||
crit "$FORMATTED_RESULT"
|
crit "$FORMATTED_RESULT"
|
||||||
else
|
else
|
||||||
ok "All world writable directories have a sticky bit"
|
ok "All world writable directories have a sticky bit"
|
||||||
@ -32,7 +32,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||||
if [ ! -z "$RESULT" ]; then
|
if [ ! -z "$RESULT" ]; then
|
||||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
|
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
|
||||||
@ -49,18 +49,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Disable automounting of devices."
|
|||||||
SERVICE_NAME="autofs"
|
SERVICE_NAME="autofs"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Checking if $SERVICE_NAME is enabled"
|
info "Checking if $SERVICE_NAME is enabled"
|
||||||
is_service_enabled "$SERVICE_NAME"
|
is_service_enabled "$SERVICE_NAME"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -31,12 +31,12 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
info "Checking if $SERVICE_NAME is enabled"
|
info "Checking if $SERVICE_NAME is enabled"
|
||||||
is_service_enabled "$SERVICE_NAME"
|
is_service_enabled "$SERVICE_NAME"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
info "Disabling $SERVICE_NAME"
|
info "Disabling $SERVICE_NAME"
|
||||||
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
|
update-rc.d $SERVICE_NAME remove >/dev/null 2>&1
|
||||||
else
|
else
|
||||||
ok "$SERVICE_NAME is disabled"
|
ok "$SERVICE_NAME is disabled"
|
||||||
fi
|
fi
|
||||||
@ -49,18 +49,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -21,7 +21,7 @@ DESCRIPTION="Ensure /tmp is configured (Scored)"
|
|||||||
PARTITION="/tmp"
|
PARTITION="/tmp"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying that $PARTITION is a partition"
|
info "Verifying that $PARTITION is a partition"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
is_a_partition "$PARTITION"
|
is_a_partition "$PARTITION"
|
||||||
@ -41,7 +41,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 2 ]; then
|
elif [ "$FNRET" = 2 ]; then
|
||||||
@ -60,18 +60,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ PARTITION="/tmp"
|
|||||||
OPTION="nodev"
|
OPTION="nodev"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying that $PARTITION is a partition"
|
info "Verifying that $PARTITION is a partition"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
is_a_partition "$PARTITION"
|
is_a_partition "$PARTITION"
|
||||||
@ -49,7 +49,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 2 ]; then
|
elif [ "$FNRET" = 2 ]; then
|
||||||
@ -73,18 +73,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ PARTITION="/tmp"
|
|||||||
OPTION="nosuid"
|
OPTION="nosuid"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying that $PARTITION is a partition"
|
info "Verifying that $PARTITION is a partition"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
is_a_partition "$PARTITION"
|
is_a_partition "$PARTITION"
|
||||||
@ -49,7 +49,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 2 ]; then
|
elif [ "$FNRET" = 2 ]; then
|
||||||
@ -73,18 +73,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ PARTITION="/tmp"
|
|||||||
OPTION="noexec"
|
OPTION="noexec"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying that $PARTITION is a partition"
|
info "Verifying that $PARTITION is a partition"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
is_a_partition "$PARTITION"
|
is_a_partition "$PARTITION"
|
||||||
@ -49,7 +49,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 2 ]; then
|
elif [ "$FNRET" = 2 ]; then
|
||||||
@ -73,18 +73,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -21,7 +21,7 @@ DESCRIPTION="/var on a separate partition."
|
|||||||
PARTITION="/var"
|
PARTITION="/var"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying that $PARTITION is a partition"
|
info "Verifying that $PARTITION is a partition"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
is_a_partition "$PARTITION"
|
is_a_partition "$PARTITION"
|
||||||
@ -43,7 +43,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 2 ]; then
|
elif [ "$FNRET" = 2 ]; then
|
||||||
@ -62,18 +62,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -21,7 +21,7 @@ DESCRIPTION="/var/tmp on a separate partition."
|
|||||||
PARTITION="/var/tmp"
|
PARTITION="/var/tmp"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying that $PARTITION is a partition"
|
info "Verifying that $PARTITION is a partition"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
is_a_partition "$PARTITION"
|
is_a_partition "$PARTITION"
|
||||||
@ -43,7 +43,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 2 ]; then
|
elif [ "$FNRET" = 2 ]; then
|
||||||
@ -62,18 +62,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ PARTITION="/var/tmp"
|
|||||||
OPTION="nodev"
|
OPTION="nodev"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying that $PARTITION is a partition"
|
info "Verifying that $PARTITION is a partition"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
is_a_partition "$PARTITION"
|
is_a_partition "$PARTITION"
|
||||||
@ -49,7 +49,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 2 ]; then
|
elif [ "$FNRET" = 2 ]; then
|
||||||
@ -73,18 +73,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ PARTITION="/var/tmp"
|
|||||||
OPTION="nosuid"
|
OPTION="nosuid"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Verifying that $PARTITION is a partition"
|
info "Verifying that $PARTITION is a partition"
|
||||||
FNRET=0
|
FNRET=0
|
||||||
is_a_partition "$PARTITION"
|
is_a_partition "$PARTITION"
|
||||||
@ -49,7 +49,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PARTITION is correctly set"
|
ok "$PARTITION is correctly set"
|
||||||
elif [ "$FNRET" = 2 ]; then
|
elif [ "$FNRET" = 2 ]; then
|
||||||
@ -73,18 +73,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -25,7 +25,7 @@ GROUP='root'
|
|||||||
PERMISSIONS='400'
|
PERMISSIONS='400'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE has correct ownership"
|
ok "$FILE has correct ownership"
|
||||||
@ -42,7 +42,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE has correct ownership"
|
ok "$FILE has correct ownership"
|
||||||
@ -87,18 +87,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ USER_PATTERN="^set superusers"
|
|||||||
PWD_PATTERN="^password_pbkdf2"
|
PWD_PATTERN="^password_pbkdf2"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
does_pattern_exist_in_file $FILE "$USER_PATTERN"
|
does_pattern_exist_in_file $FILE "$USER_PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$USER_PATTERN not present in $FILE"
|
crit "$USER_PATTERN not present in $FILE"
|
||||||
@ -38,7 +38,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_pattern_exist_in_file $FILE "$USER_PATTERN"
|
does_pattern_exist_in_file $FILE "$USER_PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$USER_PATTERN not present in $FILE, please configure password for grub"
|
warn "$USER_PATTERN not present in $FILE, please configure password for grub"
|
||||||
@ -69,18 +69,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -21,7 +21,7 @@ FILE="/etc/shadow"
|
|||||||
PATTERN="^root:[*\!]:"
|
PATTERN="^root:[*\!]:"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
does_pattern_exist_in_file $FILE $PATTERN
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
if [ "$FNRET" != 1 ]; then
|
if [ "$FNRET" != 1 ]; then
|
||||||
crit "$PATTERN is present in $FILE"
|
crit "$PATTERN is present in $FILE"
|
||||||
@ -31,7 +31,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_pattern_exist_in_file $FILE $PATTERN
|
does_pattern_exist_in_file $FILE $PATTERN
|
||||||
if [ "$FNRET" != 1 ]; then
|
if [ "$FNRET" != 1 ]; then
|
||||||
warn "$PATTERN is present in $FILE, please put a root password"
|
warn "$PATTERN is present in $FILE, please put a root password"
|
||||||
@ -48,18 +48,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -24,7 +24,7 @@ SYSCTL_PARAM='fs.suid_dumpable'
|
|||||||
SYSCTL_EXP_RESULT=0
|
SYSCTL_EXP_RESULT=0
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
SEARCH_RES=0
|
SEARCH_RES=0
|
||||||
LIMIT_FILES=""
|
LIMIT_FILES=""
|
||||||
if $SUDO_CMD [ -d $LIMIT_DIR ]; then
|
if $SUDO_CMD [ -d $LIMIT_DIR ]; then
|
||||||
@ -57,7 +57,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
|
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
|
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
|
||||||
@ -84,18 +84,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -34,7 +34,7 @@ nx_supported_and_enabled() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
does_pattern_exist_in_dmesg $PATTERN
|
does_pattern_exist_in_dmesg $PATTERN
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
nx_supported_and_enabled
|
nx_supported_and_enabled
|
||||||
@ -49,7 +49,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_pattern_exist_in_dmesg $PATTERN
|
does_pattern_exist_in_dmesg $PATTERN
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
nx_supported_and_enabled
|
nx_supported_and_enabled
|
||||||
@ -70,18 +70,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -21,7 +21,7 @@ SYSCTL_PARAM='kernel.randomize_va_space'
|
|||||||
SYSCTL_EXP_RESULT=2
|
SYSCTL_EXP_RESULT=2
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
|
||||||
@ -33,7 +33,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||||
@ -52,18 +52,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Disable prelink to prevent libraries compromission."
|
|||||||
PACKAGE='prelink'
|
PACKAGE='prelink'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
crit "$PACKAGE is installed!"
|
crit "$PACKAGE is installed!"
|
||||||
@ -31,7 +31,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
crit "$PACKAGE is installed, purging it"
|
crit "$PACKAGE is installed, purging it"
|
||||||
@ -51,18 +51,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Activate AppArmor to enforce permissions control."
|
|||||||
PACKAGE='apparmor'
|
PACKAGE='apparmor'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is absent!"
|
crit "$PACKAGE is absent!"
|
||||||
@ -49,7 +49,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
|
crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
|
||||||
@ -87,18 +87,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -21,7 +21,7 @@ FILE='/etc/motd'
|
|||||||
PATTERN='(\\v|\\r|\\m|\\s)'
|
PATTERN='(\\v|\\r|\\m|\\s)'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
crit "$PATTERN is present in $FILE"
|
crit "$PATTERN is present in $FILE"
|
||||||
@ -31,7 +31,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
warn "$PATTERN is present in $FILE"
|
warn "$PATTERN is present in $FILE"
|
||||||
@ -48,18 +48,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -21,7 +21,7 @@ FILE='/etc/issue'
|
|||||||
PATTERN='(\\v|\\r|\\m|\\s)'
|
PATTERN='(\\v|\\r|\\m|\\s)'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
crit "$PATTERN is present in $FILE"
|
crit "$PATTERN is present in $FILE"
|
||||||
@ -31,7 +31,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
warn "$PATTERN is present in $FILE"
|
warn "$PATTERN is present in $FILE"
|
||||||
@ -48,18 +48,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -21,7 +21,7 @@ FILE='/etc/issue.net'
|
|||||||
PATTERN='(\\v|\\r|\\m|\\s)'
|
PATTERN='(\\v|\\r|\\m|\\s)'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
crit "$PATTERN is present in $FILE"
|
crit "$PATTERN is present in $FILE"
|
||||||
@ -31,7 +31,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
warn "$PATTERN is present in $FILE"
|
warn "$PATTERN is present in $FILE"
|
||||||
@ -48,18 +48,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -23,7 +23,7 @@ GROUP='root'
|
|||||||
FILE='/etc/motd'
|
FILE='/etc/motd'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
does_file_exist $FILE
|
does_file_exist $FILE
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$FILE does not exist"
|
crit "$FILE does not exist"
|
||||||
@ -44,7 +44,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_file_exist $FILE
|
does_file_exist $FILE
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
info "$FILE does not exist"
|
info "$FILE does not exist"
|
||||||
@ -73,18 +73,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -23,7 +23,7 @@ GROUP='root'
|
|||||||
FILE='/etc/issue'
|
FILE='/etc/issue'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
does_file_exist $FILE
|
does_file_exist $FILE
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$FILE does not exist"
|
crit "$FILE does not exist"
|
||||||
@ -44,7 +44,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_file_exist $FILE
|
does_file_exist $FILE
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
info "$FILE does not exist"
|
info "$FILE does not exist"
|
||||||
@ -73,18 +73,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -23,7 +23,7 @@ GROUP='root'
|
|||||||
FILE='/etc/issue.net'
|
FILE='/etc/issue.net'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
does_file_exist $FILE
|
does_file_exist $FILE
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$FILE does not exist"
|
crit "$FILE does not exist"
|
||||||
@ -44,7 +44,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_file_exist $FILE
|
does_file_exist $FILE
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
info "$FILE does not exist"
|
info "$FILE does not exist"
|
||||||
@ -73,18 +73,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
|||||||
DESCRIPTION="Set graphical warning banner."
|
DESCRIPTION="Set graphical warning banner."
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Not implemented yet"
|
info "Not implemented yet"
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
info "Not implemented yet"
|
info "Not implemented yet"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -34,18 +34,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -18,7 +18,7 @@ HARDENING_LEVEL=3
|
|||||||
DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)"
|
DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Checking if apt needs an update"
|
info "Checking if apt needs an update"
|
||||||
apt_update_if_needed
|
apt_update_if_needed
|
||||||
info "Fetching upgrades ..."
|
info "Fetching upgrades ..."
|
||||||
@ -33,7 +33,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
if [ $FNRET -gt 0 ]; then
|
if [ $FNRET -gt 0 ]; then
|
||||||
info "Applying Upgrades..."
|
info "Applying Upgrades..."
|
||||||
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
|
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
|
||||||
@ -50,18 +50,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Ensure xinetd is not enabled."
|
|||||||
PACKAGE='xinetd'
|
PACKAGE='xinetd'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
crit "$PACKAGE is installed"
|
crit "$PACKAGE is installed"
|
||||||
@ -30,7 +30,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
warn "$PACKAGE is installed, purging"
|
warn "$PACKAGE is installed, purging"
|
||||||
@ -48,18 +48,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Ensure bsd-inetd is not enabled."
|
|||||||
PACKAGES='openbsd-inetd inetutils-inetd'
|
PACKAGES='openbsd-inetd inetutils-inetd'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -32,7 +32,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -52,18 +52,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Ensure time synchronization is in use"
|
|||||||
PACKAGES="ntp chrony"
|
PACKAGES="ntp chrony"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
FOUND=false
|
FOUND=false
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
@ -29,13 +29,13 @@ audit () {
|
|||||||
FOUND=true
|
FOUND=true
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
if [ "$FOUND" = false ]; then
|
if [ "$FOUND" = false ]; then
|
||||||
crit "None of the following time sync packages are installed: $PACKAGES"
|
crit "None of the following time sync packages are installed: $PACKAGES"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
:
|
:
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -46,22 +46,20 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -26,7 +26,7 @@ NTP_INIT_PATTERN='RUNASUSER=ntp'
|
|||||||
NTP_INIT_FILE='/etc/init.d/ntp'
|
NTP_INIT_FILE='/etc/init.d/ntp'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
crit "$PACKAGE is not installed!"
|
||||||
@ -48,31 +48,31 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
else
|
else
|
||||||
crit "$PACKAGE is absent, installing it"
|
crit "$PACKAGE is absent, installing it"
|
||||||
apt_install $PACKAGE
|
apt_install $PACKAGE
|
||||||
info "Checking $PACKAGE configuration"
|
info "Checking $PACKAGE configuration"
|
||||||
fi
|
fi
|
||||||
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
|
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
|
warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
|
||||||
backup_file $NTP_CONF_FILE
|
backup_file $NTP_CONF_FILE
|
||||||
add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery"
|
add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery"
|
||||||
else
|
else
|
||||||
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
|
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
|
||||||
fi
|
fi
|
||||||
does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
|
does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
|
warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
|
||||||
backup_file $NTP_INIT_FILE
|
backup_file $NTP_INIT_FILE
|
||||||
add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID"
|
add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID"
|
||||||
else
|
else
|
||||||
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
|
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
@ -82,18 +82,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -24,7 +24,7 @@ CONF_DEFAULT_PATTERN='^(server|pool)'
|
|||||||
CONF_FILE='/etc/chrony/chrony.conf'
|
CONF_FILE='/etc/chrony/chrony.conf'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
crit "$PACKAGE is not installed!"
|
||||||
@ -40,7 +40,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
:
|
:
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -51,18 +51,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -23,7 +23,7 @@ HARDENING_EXCEPTION=http
|
|||||||
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
|
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -35,7 +35,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -55,18 +55,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -23,7 +23,7 @@ HARDENING_EXCEPTION=mail
|
|||||||
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
|
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -35,7 +35,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -55,18 +55,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -23,7 +23,7 @@ PACKAGES='samba'
|
|||||||
SERVICE='smbd'
|
SERVICE='smbd'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -41,7 +41,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -68,18 +68,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ HARDENING_EXCEPTION=http
|
|||||||
PACKAGES='squid3 squid'
|
PACKAGES='squid3 squid'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -34,7 +34,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -54,18 +54,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ HARDENING_EXCEPTION=snmp
|
|||||||
PACKAGES='snmpd'
|
PACKAGES='snmpd'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -34,7 +34,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -54,18 +54,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode."
|
|||||||
HARDENING_EXCEPTION=mail
|
HARDENING_EXCEPTION=mail
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Checking netport ports opened"
|
info "Checking netport ports opened"
|
||||||
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
|
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
|
||||||
RESULT=${RESULT:-}
|
RESULT=${RESULT:-}
|
||||||
@ -29,7 +29,7 @@ audit () {
|
|||||||
ok "Nothing listens on 25 port, probably unix socket configured"
|
ok "Nothing listens on 25 port, probably unix socket configured"
|
||||||
else
|
else
|
||||||
info "Checking $RESULT"
|
info "Checking $RESULT"
|
||||||
if $(grep -q "127.0.0.1" <<< $RESULT); then
|
if $(grep -q "127.0.0.1" <<<$RESULT); then
|
||||||
ok "MTA is configured to localhost only"
|
ok "MTA is configured to localhost only"
|
||||||
else
|
else
|
||||||
crit "MTA listens worldwide"
|
crit "MTA listens worldwide"
|
||||||
@ -38,7 +38,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
info "Checking netport ports opened"
|
info "Checking netport ports opened"
|
||||||
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
|
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
|
||||||
RESULT=${RESULT:-}
|
RESULT=${RESULT:-}
|
||||||
@ -47,7 +47,7 @@ apply () {
|
|||||||
ok "Nothing listens on 25 port, probably unix socket configured"
|
ok "Nothing listens on 25 port, probably unix socket configured"
|
||||||
else
|
else
|
||||||
info "Checking $RESULT"
|
info "Checking $RESULT"
|
||||||
if $(grep -q "127.0.0.1" <<< $RESULT); then
|
if $(grep -q "127.0.0.1" <<<$RESULT); then
|
||||||
ok "MTA is configured to localhost only"
|
ok "MTA is configured to localhost only"
|
||||||
else
|
else
|
||||||
warn "MTA listens worldwide, correct this considering your MTA"
|
warn "MTA listens worldwide, correct this considering your MTA"
|
||||||
@ -63,18 +63,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -25,7 +25,7 @@ RSYNC_DEFAULT_FILE='/etc/default/rsync'
|
|||||||
RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
|
RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$PACKAGE is not installed"
|
ok "$PACKAGE is not installed"
|
||||||
@ -41,7 +41,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$PACKAGE is not installed"
|
ok "$PACKAGE is not installed"
|
||||||
@ -65,18 +65,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -25,7 +25,7 @@ FILE='/etc/inetd.conf'
|
|||||||
PATTERN='^telnet'
|
PATTERN='^telnet'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -48,7 +48,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -67,7 +67,7 @@ apply () {
|
|||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
warn "$PATTERN is present in $FILE, purging it"
|
warn "$PATTERN is present in $FILE, purging it"
|
||||||
backup_file $FILE
|
backup_file $FILE
|
||||||
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
|
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN)
|
||||||
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
|
||||||
else
|
else
|
||||||
ok "$PATTERN is not present in $FILE"
|
ok "$PATTERN is not present in $FILE"
|
||||||
@ -83,18 +83,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -23,7 +23,7 @@ HARDENING_EXCEPTION=x11
|
|||||||
PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest'
|
PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -35,7 +35,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -55,18 +55,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Ensure Avahi server is not enabled."
|
|||||||
PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
|
PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -32,7 +32,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -52,18 +52,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ HARDENING_EXCEPTION=cups
|
|||||||
PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
|
PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -34,7 +34,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -54,18 +54,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ HARDENING_EXCEPTION=dhcp
|
|||||||
PACKAGES='udhcpd isc-dhcp-server'
|
PACKAGES='udhcpd isc-dhcp-server'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -34,7 +34,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -54,18 +54,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ HARDENING_EXCEPTION=ldap
|
|||||||
PACKAGES='slapd'
|
PACKAGES='slapd'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -34,7 +34,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -54,18 +54,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ HARDENING_EXCEPTION=nfs
|
|||||||
PACKAGES='rpcbind nfs-kernel-server'
|
PACKAGES='rpcbind nfs-kernel-server'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -34,7 +34,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -54,18 +54,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ HARDENING_EXCEPTION=dns
|
|||||||
PACKAGES='bind9 unbound'
|
PACKAGES='bind9 unbound'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -34,7 +34,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -54,18 +54,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -23,7 +23,7 @@ HARDENING_EXCEPTION=ftp
|
|||||||
PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd'
|
PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -35,7 +35,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -55,18 +55,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Ensure that Network Information Service is not installed. Recommend
|
|||||||
PACKAGE='nis'
|
PACKAGE='nis'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
crit "$PACKAGE is installed!"
|
crit "$PACKAGE is installed!"
|
||||||
@ -31,7 +31,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
crit "$PACKAGE is installed, purging it"
|
crit "$PACKAGE is installed, purging it"
|
||||||
@ -49,18 +49,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -21,7 +21,7 @@ DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh."
|
|||||||
PACKAGES='rsh-client rsh-redone-client heimdal-clients'
|
PACKAGES='rsh-client rsh-redone-client heimdal-clients'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -33,7 +33,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -53,18 +53,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Ensure talk client is not installed."
|
|||||||
PACKAGES='talk inetutils-talk'
|
PACKAGES='talk inetutils-talk'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -32,7 +32,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -52,18 +52,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Ensure telnet client is not installed."
|
|||||||
PACKAGES='telnet'
|
PACKAGES='telnet'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -32,7 +32,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -52,18 +52,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Ensure ldap client is not installed."
|
|||||||
PACKAGES='ldap-utils'
|
PACKAGES='ldap-utils'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -32,7 +32,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for PACKAGE in $PACKAGES; do
|
for PACKAGE in $PACKAGES; do
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
@ -52,18 +52,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -1,6 +1,5 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
|
||||||
# run-shellcheck
|
# run-shellcheck
|
||||||
#
|
#
|
||||||
# CIS Debian Hardening
|
# CIS Debian Hardening
|
||||||
@ -23,7 +22,7 @@ SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding'
|
|||||||
SYSCTL_EXP_RESULT=0
|
SYSCTL_EXP_RESULT=0
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for SYSCTL_PARAM in $SYSCTL_PARAMS; do
|
for SYSCTL_PARAM in $SYSCTL_PARAMS; do
|
||||||
does_sysctl_param_exists "net.ipv6"
|
does_sysctl_param_exists "net.ipv6"
|
||||||
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
|
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
|
||||||
@ -40,13 +39,13 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for SYSCTL_PARAM in $SYSCTL_PARAMS; do
|
for SYSCTL_PARAM in $SYSCTL_PARAMS; do
|
||||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||||
elif [ "$FNRET" = 255 ]; then
|
elif [ "$FNRET" = 255 ]; then
|
||||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
else
|
else
|
||||||
@ -62,18 +61,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption.
|
|||||||
SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0'
|
SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||||
@ -39,7 +39,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||||
@ -48,7 +48,7 @@ apply () {
|
|||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||||
elif [ "$FNRET" = 255 ]; then
|
elif [ "$FNRET" = 255 ]; then
|
||||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
else
|
else
|
||||||
@ -64,18 +64,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Disable source routed packet acceptance."
|
|||||||
SYSCTL_PARAMS=''
|
SYSCTL_PARAMS=''
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
does_sysctl_param_exists "net.ipv6"
|
does_sysctl_param_exists "net.ipv6"
|
||||||
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
|
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
|
||||||
@ -40,7 +40,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||||
@ -49,7 +49,7 @@ apply () {
|
|||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing"
|
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing"
|
||||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||||
elif [ "$FNRET" = 255 ]; then
|
elif [ "$FNRET" = 255 ]; then
|
||||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
else
|
else
|
||||||
@ -73,18 +73,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruptio
|
|||||||
SYSCTL_PARAMS=''
|
SYSCTL_PARAMS=''
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
does_sysctl_param_exists "net.ipv6"
|
does_sysctl_param_exists "net.ipv6"
|
||||||
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
|
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
|
||||||
@ -41,7 +41,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||||
@ -50,7 +50,7 @@ apply () {
|
|||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||||
elif [ "$FNRET" = 255 ]; then
|
elif [ "$FNRET" = 255 ]; then
|
||||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
else
|
else
|
||||||
@ -74,18 +74,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Disable secure ICMP redirect acceptance to prevent routing tables c
|
|||||||
SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0'
|
SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||||
@ -37,7 +37,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||||
@ -46,7 +46,7 @@ apply () {
|
|||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||||
elif [ "$FNRET" = 255 ]; then
|
elif [ "$FNRET" = 255 ]; then
|
||||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
else
|
else
|
||||||
@ -62,18 +62,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Log suspicious packets, like spoofed packets."
|
|||||||
SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1'
|
SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||||
@ -37,7 +37,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||||
@ -46,7 +46,7 @@ apply () {
|
|||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||||
elif [ "$FNRET" = 255 ]; then
|
elif [ "$FNRET" = 255 ]; then
|
||||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
else
|
else
|
||||||
@ -62,18 +62,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Ignore broadcast requests to prevent attacks such as Smurf attack."
|
|||||||
SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1'
|
SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||||
@ -37,7 +37,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||||
@ -46,7 +46,7 @@ apply () {
|
|||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||||
elif [ "$FNRET" = 255 ]; then
|
elif [ "$FNRET" = 255 ]; then
|
||||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
else
|
else
|
||||||
@ -62,18 +62,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Enable bad error message protection to prevent logfiles fillup."
|
|||||||
SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1'
|
SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||||
@ -37,7 +37,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||||
@ -46,7 +46,7 @@ apply () {
|
|||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||||
elif [ "$FNRET" = 255 ]; then
|
elif [ "$FNRET" = 255 ]; then
|
||||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
else
|
else
|
||||||
@ -62,18 +62,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Enable RFC-recommended source route validation."
|
|||||||
SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1'
|
SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||||
@ -37,7 +37,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||||
@ -46,7 +46,7 @@ apply () {
|
|||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||||
elif [ "$FNRET" = 255 ]; then
|
elif [ "$FNRET" = 255 ]; then
|
||||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
else
|
else
|
||||||
@ -62,18 +62,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Enable TCP-SYN cookie to prevent TCP-SYN flood attack."
|
|||||||
SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1'
|
SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||||
@ -37,7 +37,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
|
||||||
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
|
||||||
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
|
||||||
@ -46,7 +46,7 @@ apply () {
|
|||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
|
||||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||||
elif [ "$FNRET" = 255 ]; then
|
elif [ "$FNRET" = 255 ]; then
|
||||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
else
|
else
|
||||||
@ -62,18 +62,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Disable IPv6 router advertisements."
|
|||||||
SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
|
SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
does_sysctl_param_exists "net.ipv6"
|
does_sysctl_param_exists "net.ipv6"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "ipv6 is disabled"
|
ok "ipv6 is disabled"
|
||||||
@ -42,7 +42,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_sysctl_param_exists "net.ipv6"
|
does_sysctl_param_exists "net.ipv6"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "ipv6 is disabled"
|
ok "ipv6 is disabled"
|
||||||
@ -55,7 +55,7 @@ apply () {
|
|||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
|
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
|
||||||
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
|
||||||
sysctl -w net.ipv4.route.flush=1 > /dev/null
|
sysctl -w net.ipv4.route.flush=1 >/dev/null
|
||||||
elif [ "$FNRET" = 255 ]; then
|
elif [ "$FNRET" = 255 ]; then
|
||||||
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
warn "$SYSCTL_PARAM does not exist -- Typo?"
|
||||||
else
|
else
|
||||||
@ -72,18 +72,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Install TCP wrappers for simple access list management and standard
|
|||||||
PACKAGE='tcpd'
|
PACKAGE='tcpd'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
crit "$PACKAGE is not installed!"
|
||||||
@ -30,14 +30,14 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
else
|
else
|
||||||
crit "$PACKAGE is absent, installing it"
|
crit "$PACKAGE is absent, installing it"
|
||||||
apt_install $PACKAGE
|
apt_install $PACKAGE
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
@ -47,18 +47,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Create /etc/hosts.allow ."
|
|||||||
FILE='/etc/hosts.allow'
|
FILE='/etc/hosts.allow'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
does_file_exist $FILE
|
does_file_exist $FILE
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$FILE does not exist"
|
crit "$FILE does not exist"
|
||||||
@ -30,7 +30,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_file_exist $FILE
|
does_file_exist $FILE
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$FILE does not exist, creating it"
|
warn "$FILE does not exist, creating it"
|
||||||
@ -48,18 +48,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -21,7 +21,7 @@ FILE='/etc/hosts.deny'
|
|||||||
PATTERN='ALL: ALL'
|
PATTERN='ALL: ALL'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
does_file_exist $FILE
|
does_file_exist $FILE
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$FILE does not exist"
|
crit "$FILE does not exist"
|
||||||
@ -37,7 +37,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_file_exist $FILE
|
does_file_exist $FILE
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$FILE does not exist, creating it"
|
warn "$FILE does not exist, creating it"
|
||||||
@ -62,18 +62,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -23,7 +23,7 @@ USER='root'
|
|||||||
GROUP='root'
|
GROUP='root'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE has correct permissions"
|
ok "$FILE has correct permissions"
|
||||||
@ -39,7 +39,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE has correct permissions"
|
ok "$FILE has correct permissions"
|
||||||
@ -56,18 +56,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -23,7 +23,7 @@ USER='root'
|
|||||||
GROUP='root'
|
GROUP='root'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE has correct permissions"
|
ok "$FILE has correct permissions"
|
||||||
@ -39,7 +39,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$FILE has correct permissions"
|
ok "$FILE has correct permissions"
|
||||||
@ -56,18 +56,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=2
|
|||||||
DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
|
DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Not implemented yet"
|
info "Not implemented yet"
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
info "Not implemented yet"
|
info "Not implemented yet"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -34,18 +34,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=2
|
|||||||
DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
|
DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Not implemented yet"
|
info "Not implemented yet"
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
info "Not implemented yet"
|
info "Not implemented yet"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -34,18 +34,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=2
|
|||||||
DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
|
DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Not implemented yet"
|
info "Not implemented yet"
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
info "Not implemented yet"
|
info "Not implemented yet"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -34,18 +34,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=2
|
|||||||
DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
|
DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Not implemented yet"
|
info "Not implemented yet"
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
info "Not implemented yet"
|
info "Not implemented yet"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -34,18 +34,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,12 +22,12 @@ FW_CHAINS="INPUT FORWARD"
|
|||||||
FW_POLICY="DROP"
|
FW_POLICY="DROP"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
crit "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true )
|
ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true)
|
||||||
if [[ -z $ipt ]]; then
|
if [[ -z $ipt ]]; then
|
||||||
crit "Empty return from $PACKAGE command. Aborting..."
|
crit "Empty return from $PACKAGE command. Aborting..."
|
||||||
return
|
return
|
||||||
@ -50,7 +50,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
:
|
:
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -61,12 +61,12 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -23,7 +23,7 @@ DESCRIPTION="Ensure firewall is active (iptables is installed, does not check fo
|
|||||||
PACKAGE='iptables'
|
PACKAGE='iptables'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PACKAGE is not installed!"
|
crit "$PACKAGE is not installed!"
|
||||||
@ -33,14 +33,14 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
is_pkg_installed "$PACKAGE"
|
is_pkg_installed "$PACKAGE"
|
||||||
if [ "$FNRET" = 0 ]; then
|
if [ "$FNRET" = 0 ]; then
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
else
|
else
|
||||||
crit "$PACKAGE is absent, installing it"
|
crit "$PACKAGE is absent, installing it"
|
||||||
apt_install $PACKAGE
|
apt_install $PACKAGE
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
@ -50,18 +50,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
|||||||
DESCRIPTION="Deactivate wireless interfaces."
|
DESCRIPTION="Deactivate wireless interfaces."
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
info "Not implemented yet"
|
info "Not implemented yet"
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
info "Not implemented yet"
|
info "Not implemented yet"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -34,13 +34,13 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
## Source Root Dir Parameter
|
## Source Root Dir Parameter
|
||||||
#if [ ! -r /etc/default/cis-hardening ]; then
|
#if [ ! -r /etc/default/cis-hardening ]; then
|
||||||
@ -57,7 +57,7 @@ fi
|
|||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -20,7 +20,7 @@ DESCRIPTION="Disable IPv6."
|
|||||||
SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
|
SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
does_sysctl_param_exists "net.ipv6"
|
does_sysctl_param_exists "net.ipv6"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "ipv6 is disabled"
|
ok "ipv6 is disabled"
|
||||||
@ -42,7 +42,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_sysctl_param_exists "net.ipv6"
|
does_sysctl_param_exists "net.ipv6"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "ipv6 is disabled"
|
ok "ipv6 is disabled"
|
||||||
@ -72,18 +72,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -22,7 +22,7 @@ PATTERN='max_log_file'
|
|||||||
VALUE=5
|
VALUE=5
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
does_file_exist $FILE
|
does_file_exist $FILE
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$FILE does not exist"
|
crit "$FILE does not exist"
|
||||||
@ -38,7 +38,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_file_exist $FILE
|
does_file_exist $FILE
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$FILE does not exist, creating it"
|
warn "$FILE does not exist, creating it"
|
||||||
@ -62,18 +62,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -21,29 +21,29 @@ FILE='/etc/audit/auditd.conf'
|
|||||||
OPTIONS=''
|
OPTIONS=''
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
does_file_exist $FILE
|
does_file_exist $FILE
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$FILE does not exist"
|
crit "$FILE does not exist"
|
||||||
else
|
else
|
||||||
ok "$FILE exists, checking configuration"
|
ok "$FILE exists, checking configuration"
|
||||||
for AUDIT_OPTION in $OPTIONS; do
|
for AUDIT_OPTION in $OPTIONS; do
|
||||||
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
|
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
|
||||||
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
|
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
|
||||||
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
|
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
|
||||||
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
|
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
|
||||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PATTERN is not present in $FILE"
|
crit "$PATTERN is not present in $FILE"
|
||||||
else
|
else
|
||||||
ok "$PATTERN is present in $FILE"
|
ok "$PATTERN is present in $FILE"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_file_exist $FILE
|
does_file_exist $FILE
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$FILE does not exist, creating it"
|
warn "$FILE does not exist, creating it"
|
||||||
@ -79,7 +79,7 @@ check_config() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
create_config() {
|
create_config() {
|
||||||
cat << EOF
|
cat <<EOF
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
status=audit
|
status=audit
|
||||||
# Put here the conf for auditd
|
# Put here the conf for auditd
|
||||||
@ -89,18 +89,18 @@ EOF
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -21,29 +21,29 @@ FILE='/etc/audit/auditd.conf'
|
|||||||
OPTIONS='max_log_file_action=keep_logs'
|
OPTIONS='max_log_file_action=keep_logs'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
does_file_exist $FILE
|
does_file_exist $FILE
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$FILE does not exist"
|
crit "$FILE does not exist"
|
||||||
else
|
else
|
||||||
ok "$FILE exists, checking configuration"
|
ok "$FILE exists, checking configuration"
|
||||||
for AUDIT_OPTION in $OPTIONS; do
|
for AUDIT_OPTION in $OPTIONS; do
|
||||||
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
|
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
|
||||||
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
|
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
|
||||||
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
|
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
|
||||||
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
|
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
|
||||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
crit "$PATTERN is not present in $FILE"
|
crit "$PATTERN is not present in $FILE"
|
||||||
else
|
else
|
||||||
ok "$PATTERN is present in $FILE"
|
ok "$PATTERN is present in $FILE"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
does_file_exist $FILE
|
does_file_exist $FILE
|
||||||
if [ "$FNRET" != 0 ]; then
|
if [ "$FNRET" != 0 ]; then
|
||||||
warn "$FILE does not exist, creating it"
|
warn "$FILE does not exist, creating it"
|
||||||
@ -80,18 +80,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
@ -26,7 +26,7 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>
|
|||||||
FILE='/etc/audit/audit.rules'
|
FILE='/etc/audit/audit.rules'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit() {
|
||||||
# define custom IFS and save default one
|
# define custom IFS and save default one
|
||||||
d_IFS=$IFS
|
d_IFS=$IFS
|
||||||
c_IFS=$'\n'
|
c_IFS=$'\n'
|
||||||
@ -46,7 +46,7 @@ audit () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply() {
|
||||||
IFS=$'\n'
|
IFS=$'\n'
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILE"
|
||||||
@ -68,18 +68,18 @@ check_config() {
|
|||||||
|
|
||||||
# Source Root Dir Parameter
|
# Source Root Dir Parameter
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
# shellcheck source=../../debian/default
|
# shellcheck source=../../debian/default
|
||||||
. /etc/default/cis-hardening
|
. /etc/default/cis-hardening
|
||||||
fi
|
fi
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
# shellcheck source=../../lib/main.sh
|
# shellcheck source=../../lib/main.sh
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
else
|
else
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user