IMP(shfmt): add shell formatter

This commit is contained in:
Thibault Ayanides 2020-12-04 14:08:01 +01:00
parent bc1aa65b91
commit 3a342b784a
300 changed files with 2370 additions and 2427 deletions

1
.gitignore vendored
View File

@ -0,0 +1 @@
tmp/shfmt

View File

@ -28,7 +28,7 @@ SUDO_MODE=''
BATCH_MODE='' BATCH_MODE=''
usage() { usage() {
cat << EOF cat <<EOF
$LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of: $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
--help -h --help -h
@ -117,48 +117,48 @@ declare -a TEST_LIST ALLOWED_SERVICES_LIST
while [[ $# > 0 ]]; do while [[ $# > 0 ]]; do
ARG="$1" ARG="$1"
case $ARG in case $ARG in
--audit) --audit)
AUDIT=1 AUDIT=1
;; ;;
--audit-all) --audit-all)
AUDIT_ALL=1 AUDIT_ALL=1
;; ;;
--audit-all-enable-passed) --audit-all-enable-passed)
AUDIT_ALL_ENABLE_PASSED=1 AUDIT_ALL_ENABLE_PASSED=1
;; ;;
--apply) --apply)
APPLY=1 APPLY=1
;; ;;
--allow-service-list) --allow-service-list)
ALLOW_SERVICE_LIST=1 ALLOW_SERVICE_LIST=1
;; ;;
--create-config-files-only) --create-config-files-only)
CREATE_CONFIG=1 CREATE_CONFIG=1
;; ;;
--allow-service) --allow-service)
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2" ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
shift shift
;; ;;
--set-hardening-level) --set-hardening-level)
SET_HARDENING_LEVEL="$2" SET_HARDENING_LEVEL="$2"
shift shift
;; ;;
--only) --only)
TEST_LIST[${#TEST_LIST[@]}]="$2" TEST_LIST[${#TEST_LIST[@]}]="$2"
shift shift
;; ;;
--sudo) --sudo)
SUDO_MODE='--sudo' SUDO_MODE='--sudo'
;; ;;
--batch) --batch)
BATCH_MODE='--batch' BATCH_MODE='--batch'
LOGLEVEL=ok LOGLEVEL=ok
;; ;;
-h|--help) -h | --help)
usage usage
;; ;;
*) *)
usage usage
;; ;;
esac esac
shift shift
@ -174,20 +174,20 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh [ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg [ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh [ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh [ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
# If --allow-service-list is specified, don't run anything, just list the supported services # If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
declare -a HARDENING_EXCEPTIONS_LIST declare -a HARDENING_EXCEPTIONS_LIST
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2) template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
@ -198,8 +198,8 @@ if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
fi fi
# If --set-hardening-level is specified, don't run anything, just apply config for each script # If --set-hardening-level is specified, don't run anything, just apply config for each script
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ]; then
if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5" echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
exit 1 exit 1
fi fi
@ -207,7 +207,7 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
SCRIPT_BASENAME=$(basename $SCRIPT .sh) SCRIPT_BASENAME=$(basename $SCRIPT .sh)
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2) script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
if [ -z "$script_level" ] ; then if [ -z "$script_level" ]; then
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it" echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
continue continue
fi fi
@ -226,11 +226,11 @@ fi
# Parse every scripts and execute them in the required mode # Parse every scripts and execute them in the required mode
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
if [ ${#TEST_LIST[@]} -gt 0 ] ; then if [ ${#TEST_LIST[@]} -gt 0 ]; then
# --only X has been specified at least once, is this script in my list ? # --only X has been specified at least once, is this script in my list ?
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)") SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename $SCRIPT)")
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX") SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
# not in the list # not in the list
continue continue
fi fi
@ -258,30 +258,30 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE" debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
case $SCRIPT_EXITCODE in case $SCRIPT_EXITCODE in
0) 0)
debug "$SCRIPT passed" debug "$SCRIPT passed"
PASSED_CHECKS=$((PASSED_CHECKS+1)) PASSED_CHECKS=$((PASSED_CHECKS + 1))
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then if [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
SCRIPT_BASENAME=$(basename $SCRIPT .sh) SCRIPT_BASENAME=$(basename $SCRIPT .sh)
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg" info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
fi fi
;; ;;
1) 1)
debug "$SCRIPT failed" debug "$SCRIPT failed"
FAILED_CHECKS=$((FAILED_CHECKS+1)) FAILED_CHECKS=$((FAILED_CHECKS + 1))
;; ;;
2) 2)
debug "$SCRIPT is disabled" debug "$SCRIPT is disabled"
DISABLED_CHECKS=$((DISABLED_CHECKS+1)) DISABLED_CHECKS=$((DISABLED_CHECKS + 1))
;; ;;
esac esac
TOTAL_CHECKS=$((TOTAL_CHECKS+1)) TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
done done
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS)) TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS))
if [ $BATCH_MODE ]; then if [ $BATCH_MODE ]; then
BATCH_SUMMARY="AUDIT_SUMMARY " BATCH_SUMMARY="AUDIT_SUMMARY "
@ -289,7 +289,7 @@ if [ $BATCH_MODE ]; then
BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} " BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}" BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then if [ $TOTAL_TREATED_CHECKS != 0 ]; then
CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100") CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")" BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
else else
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0 BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
@ -297,17 +297,17 @@ if [ $BATCH_MODE ]; then
becho $BATCH_SUMMARY becho $BATCH_SUMMARY
else else
printf "%40s\n" "################### SUMMARY ###################" printf "%40s\n" "################### SUMMARY ###################"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS" printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS" printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS" printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS" printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<< "scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100") ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100") CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE" printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then if [ $TOTAL_TREATED_CHECKS != 0 ]; then
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE" printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"
else else
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0 printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
fi fi
fi fi

View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of freevxfs filesystems."
KERNEL_OPTION="CONFIG_VXFS_FS" KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs" MODULE_NAME="freevxfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
@ -32,7 +31,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -48,18 +47,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of jffs2 filesystems."
KERNEL_OPTION="CONFIG_JFFS2_FS" KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2" MODULE_NAME="jffs2"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
@ -32,7 +31,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -48,18 +47,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of hfs filesystems."
KERNEL_OPTION="CONFIG_HFS_FS" KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_FILE="hfs" MODULE_FILE="hfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
@ -32,7 +31,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -48,18 +47,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of hfsplus filesystems."
KERNEL_OPTION="CONFIG_HFSPLUS_FS" KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_FILE="hfsplus" MODULE_FILE="hfsplus"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
@ -32,7 +31,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -48,18 +47,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of udf filesystems."
KERNEL_OPTION="CONFIG_UDF_FS" KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_FILE="udf" MODULE_FILE="udf"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
@ -32,7 +31,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -48,18 +47,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of cramfs filesystems."
KERNEL_OPTION="CONFIG_CRAMFS" KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs" MODULE_NAME="cramfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
@ -33,7 +32,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -50,18 +49,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of squashfs filesytems."
KERNEL_OPTION="CONFIG_SQUASHFS" KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_FILE="squashfs" MODULE_FILE="squashfs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!" crit "$KERNEL_OPTION is enabled!"
@ -33,7 +32,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_kernel_option_enabled "$KERNEL_OPTION" is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -50,18 +49,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ PARTITION="/var/tmp"
OPTION="noexec" OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -40,16 +40,16 @@ audit () {
has_mounted_option "$PARTITION" "$OPTION" has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
ok "$PARTITION mounted with $OPTION" ok "$PARTITION mounted with $OPTION"
fi fi
fi fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then elif [ "$FNRET" = 2 ]; then
@ -62,7 +62,7 @@ apply () {
elif [ "$FNRET" = 3 ]; then elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION" remount_partition "$PARTITION"
fi fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -21,7 +21,7 @@ DESCRIPTION="/var/log on separate partition."
PARTITION="/var/log" PARTITION="/var/log"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -41,7 +41,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then elif [ "$FNRET" = 2 ]; then
@ -60,18 +60,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="/var/log/audit on a separate partition."
PARTITION="/var/log/audit" PARTITION="/var/log/audit"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -40,7 +40,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then elif [ "$FNRET" = 2 ]; then
@ -59,18 +59,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -21,7 +21,7 @@ DESCRIPTION="/home on a separate partition."
PARTITION="/home" PARTITION="/home"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -41,7 +41,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then elif [ "$FNRET" = 2 ]; then
@ -60,18 +60,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ PARTITION="/home"
OPTION="nodev" OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -49,7 +49,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then elif [ "$FNRET" = 2 ]; then
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ PARTITION="/run/shm"
OPTION="nodev" OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION") PARTITION=$(readlink -e "$PARTITION")
FNRET=0 FNRET=0
@ -50,7 +50,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then elif [ "$FNRET" = 2 ]; then
@ -74,12 +74,12 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -22,7 +22,7 @@ PARTITION="/run/shm"
OPTION="nosuid" OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION") PARTITION=$(readlink -e "$PARTITION")
FNRET=0 FNRET=0
@ -50,7 +50,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then elif [ "$FNRET" = 2 ]; then
@ -74,12 +74,12 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -22,7 +22,7 @@ PARTITION="/run/shm"
OPTION="noexec" OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION") PARTITION=$(readlink -e "$PARTITION")
FNRET=0 FNRET=0
@ -50,7 +50,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then elif [ "$FNRET" = 2 ]; then
@ -74,12 +74,12 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -24,7 +24,7 @@ PARTITION="/media\S*"
OPTION="nodev" OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying if there is $PARTITION like partition" info "Verifying if there is $PARTITION like partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -44,7 +44,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 1 ]; then elif [ "$FNRET" = 1 ]; then
@ -61,18 +61,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -24,7 +24,7 @@ PARTITION="/media\S*"
OPTION="nosuid" OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying if there is $PARTITION like partition" info "Verifying if there is $PARTITION like partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -44,7 +44,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 1 ]; then elif [ "$FNRET" = 1 ]; then
@ -61,18 +61,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -24,7 +24,7 @@ PARTITION="/media\S*"
OPTION="noexec" OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying if there is $PARTITION like partition" info "Verifying if there is $PARTITION like partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -44,7 +44,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 1 ]; then elif [ "$FNRET" = 1 ]; then
@ -61,18 +61,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -18,13 +18,13 @@ HARDENING_LEVEL=2
DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them." DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Checking if setuid is set on world writable Directories" info "Checking if setuid is set on world writable Directories"
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!" crit "Some world writable directories are not on sticky bit mode!"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT" crit "$FORMATTED_RESULT"
else else
ok "All world writable directories have a sticky bit" ok "All world writable directories have a sticky bit"
@ -32,7 +32,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
@ -49,18 +49,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable automounting of devices."
SERVICE_NAME="autofs" SERVICE_NAME="autofs"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Checking if $SERVICE_NAME is enabled" info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME" is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -31,12 +31,12 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
info "Checking if $SERVICE_NAME is enabled" info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME" is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
info "Disabling $SERVICE_NAME" info "Disabling $SERVICE_NAME"
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 update-rc.d $SERVICE_NAME remove >/dev/null 2>&1
else else
ok "$SERVICE_NAME is disabled" ok "$SERVICE_NAME is disabled"
fi fi
@ -49,18 +49,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -21,7 +21,7 @@ DESCRIPTION="Ensure /tmp is configured (Scored)"
PARTITION="/tmp" PARTITION="/tmp"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -41,7 +41,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then elif [ "$FNRET" = 2 ]; then
@ -60,18 +60,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ PARTITION="/tmp"
OPTION="nodev" OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -40,16 +40,16 @@ audit () {
has_mounted_option "$PARTITION" "$OPTION" has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
ok "$PARTITION mounted with $OPTION" ok "$PARTITION mounted with $OPTION"
fi fi
fi fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then elif [ "$FNRET" = 2 ]; then
@ -62,7 +62,7 @@ apply () {
elif [ "$FNRET" = 3 ]; then elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION" remount_partition "$PARTITION"
fi fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ PARTITION="/tmp"
OPTION="nosuid" OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -49,7 +49,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then elif [ "$FNRET" = 2 ]; then
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ PARTITION="/tmp"
OPTION="noexec" OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -49,7 +49,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then elif [ "$FNRET" = 2 ]; then
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -21,7 +21,7 @@ DESCRIPTION="/var on a separate partition."
PARTITION="/var" PARTITION="/var"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -38,12 +38,12 @@ audit () {
ok "$PARTITION is mounted" ok "$PARTITION is mounted"
fi fi
fi fi
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then elif [ "$FNRET" = 2 ]; then
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -21,7 +21,7 @@ DESCRIPTION="/var/tmp on a separate partition."
PARTITION="/var/tmp" PARTITION="/var/tmp"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -38,12 +38,12 @@ audit () {
ok "$PARTITION is mounted" ok "$PARTITION is mounted"
fi fi
fi fi
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then elif [ "$FNRET" = 2 ]; then
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ PARTITION="/var/tmp"
OPTION="nodev" OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -40,16 +40,16 @@ audit () {
has_mounted_option "$PARTITION" "$OPTION" has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
ok "$PARTITION mounted with $OPTION" ok "$PARTITION mounted with $OPTION"
fi fi
fi fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then elif [ "$FNRET" = 2 ]; then
@ -62,7 +62,7 @@ apply () {
elif [ "$FNRET" = 3 ]; then elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION" remount_partition "$PARTITION"
fi fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ PARTITION="/var/tmp"
OPTION="nosuid" OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Verifying that $PARTITION is a partition" info "Verifying that $PARTITION is a partition"
FNRET=0 FNRET=0
is_a_partition "$PARTITION" is_a_partition "$PARTITION"
@ -40,16 +40,16 @@ audit () {
has_mounted_option "$PARTITION" "$OPTION" has_mounted_option "$PARTITION" "$OPTION"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime" warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3 FNRET=3
else else
ok "$PARTITION mounted with $OPTION" ok "$PARTITION mounted with $OPTION"
fi fi
fi fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set" ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then elif [ "$FNRET" = 2 ]; then
@ -62,7 +62,7 @@ apply () {
elif [ "$FNRET" = 3 ]; then elif [ "$FNRET" = 3 ]; then
info "Remounting $PARTITION from fstab" info "Remounting $PARTITION from fstab"
remount_partition "$PARTITION" remount_partition "$PARTITION"
fi fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -25,24 +25,24 @@ GROUP='root'
PERMISSIONS='400' PERMISSIONS='400'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE ownership was not set to $USER:$GROUP" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP" has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
@ -87,18 +87,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ USER_PATTERN="^set superusers"
PWD_PATTERN="^password_pbkdf2" PWD_PATTERN="^password_pbkdf2"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_pattern_exist_in_file $FILE "$USER_PATTERN" does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$USER_PATTERN not present in $FILE" crit "$USER_PATTERN not present in $FILE"
@ -38,7 +38,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_pattern_exist_in_file $FILE "$USER_PATTERN" does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$USER_PATTERN not present in $FILE, please configure password for grub" warn "$USER_PATTERN not present in $FILE, please configure password for grub"
@ -69,18 +69,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -21,7 +21,7 @@ FILE="/etc/shadow"
PATTERN="^root:[*\!]:" PATTERN="^root:[*\!]:"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ "$FNRET" != 1 ]; then if [ "$FNRET" != 1 ]; then
crit "$PATTERN is present in $FILE" crit "$PATTERN is present in $FILE"
@ -31,7 +31,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ "$FNRET" != 1 ]; then if [ "$FNRET" != 1 ]; then
warn "$PATTERN is present in $FILE, please put a root password" warn "$PATTERN is present in $FILE, please put a root password"
@ -48,18 +48,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -24,7 +24,7 @@ SYSCTL_PARAM='fs.suid_dumpable'
SYSCTL_EXP_RESULT=0 SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
SEARCH_RES=0 SEARCH_RES=0
LIMIT_FILES="" LIMIT_FILES=""
if $SUDO_CMD [ -d $LIMIT_DIR ]; then if $SUDO_CMD [ -d $LIMIT_DIR ]; then
@ -57,7 +57,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE" warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
@ -73,7 +73,7 @@ apply () {
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi fi
} }
@ -84,18 +84,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -34,7 +34,7 @@ nx_supported_and_enabled() {
} }
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_pattern_exist_in_dmesg $PATTERN does_pattern_exist_in_dmesg $PATTERN
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled nx_supported_and_enabled
@ -49,7 +49,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_pattern_exist_in_dmesg $PATTERN does_pattern_exist_in_dmesg $PATTERN
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled nx_supported_and_enabled
@ -70,18 +70,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -21,7 +21,7 @@ SYSCTL_PARAM='kernel.randomize_va_space'
SYSCTL_EXP_RESULT=2 SYSCTL_EXP_RESULT=2
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
@ -33,7 +33,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
@ -52,18 +52,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable prelink to prevent libraries compromission."
PACKAGE='prelink' PACKAGE='prelink'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
@ -31,7 +31,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
@ -51,18 +51,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Activate AppArmor to enforce permissions control."
PACKAGE='apparmor' PACKAGE='apparmor'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!" crit "$PACKAGE is absent!"
@ -30,7 +30,7 @@ audit () {
ERROR=0 ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one # define custom IFS and save default one
d_IFS=$IFS d_IFS=$IFS
c_IFS=$'\n' c_IFS=$'\n'
@ -44,12 +44,12 @@ audit () {
IFS=$d_IFS IFS=$d_IFS
if [ $ERROR = 0 ]; then if [ $ERROR = 0 ]; then
ok "$PACKAGE is configured" ok "$PACKAGE is configured"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed, please install $PACKAGE and configure it" crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
@ -59,7 +59,7 @@ apply () {
ERROR=0 ERROR=0
RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
# define custom IFS and save default one # define custom IFS and save default one
d_IFS=$IFS d_IFS=$IFS
c_IFS=$'\n' c_IFS=$'\n'
@ -71,7 +71,7 @@ apply () {
fi fi
done done
IFS=$d_IFS IFS=$d_IFS
if [ $ERROR = 1 ]; then if [ $ERROR = 1 ]; then
$SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
$SUDO_CMD update-grub $SUDO_CMD update-grub
@ -87,18 +87,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -21,7 +21,7 @@ FILE='/etc/motd'
PATTERN='(\\v|\\r|\\m|\\s)' PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE" crit "$PATTERN is present in $FILE"
@ -31,7 +31,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE" warn "$PATTERN is present in $FILE"
@ -48,18 +48,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -21,7 +21,7 @@ FILE='/etc/issue'
PATTERN='(\\v|\\r|\\m|\\s)' PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE" crit "$PATTERN is present in $FILE"
@ -31,7 +31,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE" warn "$PATTERN is present in $FILE"
@ -48,18 +48,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -21,7 +21,7 @@ FILE='/etc/issue.net'
PATTERN='(\\v|\\r|\\m|\\s)' PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE" crit "$PATTERN is present in $FILE"
@ -31,7 +31,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE" warn "$PATTERN is present in $FILE"
@ -48,18 +48,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -23,7 +23,7 @@ GROUP='root'
FILE='/etc/motd' FILE='/etc/motd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_file_exist $FILE does_file_exist $FILE
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
@ -44,7 +44,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_file_exist $FILE does_file_exist $FILE
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -23,7 +23,7 @@ GROUP='root'
FILE='/etc/issue' FILE='/etc/issue'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_file_exist $FILE does_file_exist $FILE
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
@ -44,7 +44,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_file_exist $FILE does_file_exist $FILE
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -23,7 +23,7 @@ GROUP='root'
FILE='/etc/issue.net' FILE='/etc/issue.net'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_file_exist $FILE does_file_exist $FILE
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
@ -44,7 +44,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_file_exist $FILE does_file_exist $FILE
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "$FILE does not exist" info "$FILE does not exist"
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Set graphical warning banner." DESCRIPTION="Set graphical warning banner."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Not implemented yet" info "Not implemented yet"
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
info "Not implemented yet" info "Not implemented yet"
} }
@ -34,18 +34,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -18,9 +18,9 @@ HARDENING_LEVEL=3
DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)" DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Checking if apt needs an update" info "Checking if apt needs an update"
apt_update_if_needed apt_update_if_needed
info "Fetching upgrades ..." info "Fetching upgrades ..."
apt_check_updates "CIS_APT" apt_check_updates "CIS_APT"
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
@ -33,8 +33,8 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
if [ $FNRET -gt 0 ]; then if [ $FNRET -gt 0 ]; then
info "Applying Upgrades..." info "Applying Upgrades..."
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
else else
@ -50,18 +50,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure xinetd is not enabled."
PACKAGE='xinetd' PACKAGE='xinetd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed" crit "$PACKAGE is installed"
@ -30,7 +30,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging" warn "$PACKAGE is installed, purging"
@ -48,18 +48,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure bsd-inetd is not enabled."
PACKAGES='openbsd-inetd inetutils-inetd' PACKAGES='openbsd-inetd inetutils-inetd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -32,7 +32,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -52,18 +52,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure time synchronization is in use"
PACKAGES="ntp chrony" PACKAGES="ntp chrony"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
FOUND=false FOUND=false
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
@ -29,13 +29,13 @@ audit () {
FOUND=true FOUND=true
fi fi
done done
if [ "$FOUND" = false ]; then if [ "$FOUND" = false ]; then
crit "None of the following time sync packages are installed: $PACKAGES" crit "None of the following time sync packages are installed: $PACKAGES"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -46,22 +46,20 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

View File

@ -26,7 +26,7 @@ NTP_INIT_PATTERN='RUNASUSER=ntp'
NTP_INIT_FILE='/etc/init.d/ntp' NTP_INIT_FILE='/etc/init.d/ntp'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
@ -48,31 +48,31 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
info "Checking $PACKAGE configuration" info "Checking $PACKAGE configuration"
fi fi
does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it" warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file $NTP_CONF_FILE backup_file $NTP_CONF_FILE
add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery" add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery"
else else
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi fi
does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it" warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
backup_file $NTP_INIT_FILE backup_file $NTP_INIT_FILE
add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID" add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID"
else else
ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE" ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE"
fi fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -82,18 +82,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -24,7 +24,7 @@ CONF_DEFAULT_PATTERN='^(server|pool)'
CONF_FILE='/etc/chrony/chrony.conf' CONF_FILE='/etc/chrony/chrony.conf'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
@ -40,7 +40,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -51,18 +51,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -23,7 +23,7 @@ HARDENING_EXCEPTION=http
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd' PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -35,7 +35,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -55,18 +55,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -23,7 +23,7 @@ HARDENING_EXCEPTION=mail
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail' PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -35,7 +35,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -55,18 +55,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -23,7 +23,7 @@ PACKAGES='samba'
SERVICE='smbd' SERVICE='smbd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -41,7 +41,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -68,18 +68,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=http
PACKAGES='squid3 squid' PACKAGES='squid3 squid'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -54,18 +54,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=snmp
PACKAGES='snmpd' PACKAGES='snmpd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -54,18 +54,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode."
HARDENING_EXCEPTION=mail HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Checking netport ports opened" info "Checking netport ports opened"
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || : RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-} RESULT=${RESULT:-}
@ -29,7 +29,7 @@ audit () {
ok "Nothing listens on 25 port, probably unix socket configured" ok "Nothing listens on 25 port, probably unix socket configured"
else else
info "Checking $RESULT" info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<< $RESULT); then if $(grep -q "127.0.0.1" <<<$RESULT); then
ok "MTA is configured to localhost only" ok "MTA is configured to localhost only"
else else
crit "MTA listens worldwide" crit "MTA listens worldwide"
@ -38,7 +38,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
info "Checking netport ports opened" info "Checking netport ports opened"
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || : RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-} RESULT=${RESULT:-}
@ -47,7 +47,7 @@ apply () {
ok "Nothing listens on 25 port, probably unix socket configured" ok "Nothing listens on 25 port, probably unix socket configured"
else else
info "Checking $RESULT" info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<< $RESULT); then if $(grep -q "127.0.0.1" <<<$RESULT); then
ok "MTA is configured to localhost only" ok "MTA is configured to localhost only"
else else
warn "MTA listens worldwide, correct this considering your MTA" warn "MTA listens worldwide, correct this considering your MTA"
@ -63,18 +63,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -25,7 +25,7 @@ RSYNC_DEFAULT_FILE='/etc/default/rsync'
RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true' RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed" ok "$PACKAGE is not installed"
@ -41,7 +41,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed" ok "$PACKAGE is not installed"
@ -65,18 +65,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -25,7 +25,7 @@ FILE='/etc/inetd.conf'
PATTERN='^telnet' PATTERN='^telnet'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -48,7 +48,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -67,7 +67,7 @@ apply () {
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE, purging it" warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else else
ok "$PATTERN is not present in $FILE" ok "$PATTERN is not present in $FILE"
@ -83,18 +83,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -23,7 +23,7 @@ HARDENING_EXCEPTION=x11
PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest' PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -35,7 +35,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -55,18 +55,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure Avahi server is not enabled."
PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7' PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -32,7 +32,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -52,18 +52,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=cups
PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups' PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -54,18 +54,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=dhcp
PACKAGES='udhcpd isc-dhcp-server' PACKAGES='udhcpd isc-dhcp-server'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -54,18 +54,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=ldap
PACKAGES='slapd' PACKAGES='slapd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -54,18 +54,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=nfs
PACKAGES='rpcbind nfs-kernel-server' PACKAGES='rpcbind nfs-kernel-server'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -54,18 +54,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=dns
PACKAGES='bind9 unbound' PACKAGES='bind9 unbound'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -54,18 +54,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -23,7 +23,7 @@ HARDENING_EXCEPTION=ftp
PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd' PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -35,7 +35,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -55,18 +55,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure that Network Information Service is not installed. Recommend
PACKAGE='nis' PACKAGE='nis'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!" crit "$PACKAGE is installed!"
@ -31,7 +31,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
@ -49,18 +49,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -21,8 +21,8 @@ DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh."
PACKAGES='rsh-client rsh-redone-client heimdal-clients' PACKAGES='rsh-client rsh-redone-client heimdal-clients'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed" crit "$PACKAGE is installed"
@ -33,8 +33,8 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging" warn "$PACKAGE is installed, purging"
@ -53,18 +53,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure talk client is not installed."
PACKAGES='talk inetutils-talk' PACKAGES='talk inetutils-talk'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -32,7 +32,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -52,18 +52,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure telnet client is not installed."
PACKAGES='telnet' PACKAGES='telnet'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -32,7 +32,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -52,18 +52,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure ldap client is not installed."
PACKAGES='ldap-utils' PACKAGES='ldap-utils'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -32,7 +32,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for PACKAGE in $PACKAGES; do for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
@ -52,18 +52,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -1,6 +1,5 @@
#!/bin/bash #!/bin/bash
# run-shellcheck # run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
@ -23,7 +22,7 @@ SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding'
SYSCTL_EXP_RESULT=0 SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_PARAM in $SYSCTL_PARAMS; do for SYSCTL_PARAM in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
@ -40,13 +39,13 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_PARAM in $SYSCTL_PARAMS; do for SYSCTL_PARAM in $SYSCTL_PARAMS; do
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
@ -62,18 +61,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption.
SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0' SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -39,7 +39,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -48,7 +48,7 @@ apply () {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
@ -64,18 +64,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable source routed packet acceptance."
SYSCTL_PARAMS='' SYSCTL_PARAMS=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
@ -40,7 +40,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -49,7 +49,7 @@ apply () {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
@ -73,18 +73,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,14 +20,14 @@ DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruptio
SYSCTL_PARAMS='' SYSCTL_PARAMS=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6 if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT" debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT" crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
@ -41,7 +41,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -50,7 +50,7 @@ apply () {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
@ -74,18 +74,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable secure ICMP redirect acceptance to prevent routing tables c
SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0' SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Log suspicious packets, like spoofed packets."
SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1' SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Ignore broadcast requests to prevent attacks such as Smurf attack."
SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1' SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Enable bad error message protection to prevent logfiles fillup."
SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1' SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
@ -62,20 +62,20 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128
fi fi

View File

@ -20,7 +20,7 @@ DESCRIPTION="Enable RFC-recommended source route validation."
SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1' SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Enable TCP-SYN cookie to prevent TCP-SYN flood attack."
SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1' SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable IPv6 router advertisements."
SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0' SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled" ok "ipv6 is disabled"
@ -42,7 +42,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled" ok "ipv6 is disabled"
@ -55,7 +55,7 @@ apply () {
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing" warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?" warn "$SYSCTL_PARAM does not exist -- Typo?"
else else
@ -72,18 +72,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Install TCP wrappers for simple access list management and standard
PACKAGE='tcpd' PACKAGE='tcpd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
@ -30,14 +30,14 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -47,18 +47,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Create /etc/hosts.allow ."
FILE='/etc/hosts.allow' FILE='/etc/hosts.allow'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_file_exist $FILE does_file_exist $FILE
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
@ -30,7 +30,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_file_exist $FILE does_file_exist $FILE
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
@ -48,18 +48,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -21,7 +21,7 @@ FILE='/etc/hosts.deny'
PATTERN='ALL: ALL' PATTERN='ALL: ALL'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_file_exist $FILE does_file_exist $FILE
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
@ -37,7 +37,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_file_exist $FILE does_file_exist $FILE
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -23,7 +23,7 @@ USER='root'
GROUP='root' GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
@ -39,7 +39,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
@ -56,18 +56,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -23,7 +23,7 @@ USER='root'
GROUP='root' GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
@ -39,7 +39,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
has_file_correct_permissions "$FILE" "$PERMISSIONS" has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions" ok "$FILE has correct permissions"
@ -56,18 +56,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=2
DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)." DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Not implemented yet" info "Not implemented yet"
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
info "Not implemented yet" info "Not implemented yet"
} }
@ -34,18 +34,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=2
DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)." DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Not implemented yet" info "Not implemented yet"
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
info "Not implemented yet" info "Not implemented yet"
} }
@ -34,18 +34,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=2
DESCRIPTION="Disable Reliable Datagram Sockets (RDS)." DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Not implemented yet" info "Not implemented yet"
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
info "Not implemented yet" info "Not implemented yet"
} }
@ -34,18 +34,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=2
DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)." DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Not implemented yet" info "Not implemented yet"
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
info "Not implemented yet" info "Not implemented yet"
} }
@ -34,18 +34,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,12 +22,12 @@ FW_CHAINS="INPUT FORWARD"
FW_POLICY="DROP" FW_POLICY="DROP"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true ) ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true)
if [[ -z $ipt ]]; then if [[ -z $ipt ]]; then
crit "Empty return from $PACKAGE command. Aborting..." crit "Empty return from $PACKAGE command. Aborting..."
return return
@ -50,7 +50,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -61,12 +61,12 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -17,13 +17,13 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)." DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)."
# Quick note here : CIS recommends your iptables rules to be persistent. # Quick note here : CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this # Do as you want, but this script does not handle this
PACKAGE='iptables' PACKAGE='iptables'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
@ -33,14 +33,14 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
is_pkg_installed "$PACKAGE" is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
} }
# This function will check config parameters required # This function will check config parameters required
@ -50,18 +50,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Deactivate wireless interfaces." DESCRIPTION="Deactivate wireless interfaces."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
info "Not implemented yet" info "Not implemented yet"
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
info "Not implemented yet" info "Not implemented yet"
} }
@ -34,14 +34,14 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
## Source Root Dir Parameter ## Source Root Dir Parameter
#if [ ! -r /etc/default/cis-hardening ]; then #if [ ! -r /etc/default/cis-hardening ]; then
# echo "There is no /etc/default/cis-hardening file, cannot source CIS_ROOT_DIR variable, aborting" # echo "There is no /etc/default/cis-hardening file, cannot source CIS_ROOT_DIR variable, aborting"
@ -53,11 +53,11 @@ fi
# echo "No CIS_ROOT_DIR variable, aborting" # echo "No CIS_ROOT_DIR variable, aborting"
# exit 128 # exit 128
# fi # fi
#fi #fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable IPv6."
SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1' SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled" ok "ipv6 is disabled"
@ -42,7 +42,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_sysctl_param_exists "net.ipv6" does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled" ok "ipv6 is disabled"
@ -72,18 +72,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -22,7 +22,7 @@ PATTERN='max_log_file'
VALUE=5 VALUE=5
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_file_exist $FILE does_file_exist $FILE
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
@ -38,7 +38,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_file_exist $FILE does_file_exist $FILE
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
@ -62,18 +62,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -21,29 +21,29 @@ FILE='/etc/audit/auditd.conf'
OPTIONS='' OPTIONS=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_file_exist $FILE does_file_exist $FILE
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exists, checking configuration" ok "$FILE exists, checking configuration"
for AUDIT_OPTION in $OPTIONS; do for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE" crit "$PATTERN is not present in $FILE"
else else
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
fi fi
done done
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_file_exist $FILE does_file_exist $FILE
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
@ -79,7 +79,7 @@ check_config() {
} }
create_config() { create_config() {
cat << EOF cat <<EOF
# shellcheck disable=2034 # shellcheck disable=2034
status=audit status=audit
# Put here the conf for auditd # Put here the conf for auditd
@ -89,18 +89,18 @@ EOF
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -21,29 +21,29 @@ FILE='/etc/audit/auditd.conf'
OPTIONS='max_log_file_action=keep_logs' OPTIONS='max_log_file_action=keep_logs'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
does_file_exist $FILE does_file_exist $FILE
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exists, checking configuration" ok "$FILE exists, checking configuration"
for AUDIT_OPTION in $OPTIONS; do for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
crit "$PATTERN is not present in $FILE" crit "$PATTERN is not present in $FILE"
else else
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
fi fi
done done
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
does_file_exist $FILE does_file_exist $FILE
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
@ -61,7 +61,7 @@ apply () {
warn "$PATTERN is not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$AUDIT_PARAM" does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
else else
info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing" info "Parameter $AUDIT_PARAM is present but with the wrong value -- Fixing"
@ -80,18 +80,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

View File

@ -26,7 +26,7 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>
FILE='/etc/audit/audit.rules' FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
# define custom IFS and save default one # define custom IFS and save default one
d_IFS=$IFS d_IFS=$IFS
c_IFS=$'\n' c_IFS=$'\n'
@ -46,7 +46,7 @@ audit () {
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
@ -68,18 +68,18 @@ check_config() {
# Source Root Dir Parameter # Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default # shellcheck source=../../debian/default
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh # shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh . "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

Some files were not shown because too many files have changed in this diff Show More