elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-21 13:07:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

IMP(shfmt): add shell formatter

Browse Source
This commit is contained in:
Thibault Ayanides 2020-12-04 14:08:01 +01:00
parent bc1aa65b91
commit 3a342b784a
300 changed files with 2370 additions and 2427 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -0,0 +1 @@
tmp/shfmt

38
bin/hardening.sh
View File

@ -28,7 +28,7 @@ SUDO_MODE=''
BATCH_MODE=''
usage() {
cat << EOF
cat <<EOF
$LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
--help -h
@ -154,7 +154,7 @@ while [[ $# > 0 ]]; do
BATCH_MODE='--batch'
LOGLEVEL=ok
;;
-h|--help)
-h | --help)
usage
;;
*)
@ -187,7 +187,7 @@ fi
if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
# If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
if [ "$ALLOW_SERVICE_LIST" = 1 ]; then
declare -a HARDENING_EXCEPTIONS_LIST
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
@ -198,8 +198,8 @@ if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
fi
# If --set-hardening-level is specified, don't run anything, just apply config for each script
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ]; then
if ! grep -q "^[12345]$" <<<"$SET_HARDENING_LEVEL"; then
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
exit 1
fi
@ -207,7 +207,7 @@ if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
if [ -z "$script_level" ] ; then
if [ -z "$script_level" ]; then
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
continue
fi
@ -226,11 +226,11 @@ fi
# Parse every scripts and execute them in the required mode
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
if [ ${#TEST_LIST[@]} -gt 0 ] ; then
if [ ${#TEST_LIST[@]} -gt 0 ]; then
# --only X has been specified at least once, is this script in my list ?
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<<"$(basename $SCRIPT)")
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<<"$SCRIPT_PREFIX")
if ! grep -qwE "(^| )$SCRIPT_PREFIX_RE" <<<"${TEST_LIST[@]}"; then
# not in the list
continue
fi
@ -260,8 +260,8 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
case $SCRIPT_EXITCODE in
0)
debug "$SCRIPT passed"
PASSED_CHECKS=$((PASSED_CHECKS+1))
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ] ; then
PASSED_CHECKS=$((PASSED_CHECKS + 1))
if [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg"
@ -269,19 +269,19 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
;;
1)
debug "$SCRIPT failed"
FAILED_CHECKS=$((FAILED_CHECKS+1))
FAILED_CHECKS=$((FAILED_CHECKS + 1))
;;
2)
debug "$SCRIPT is disabled"
DISABLED_CHECKS=$((DISABLED_CHECKS+1))
DISABLED_CHECKS=$((DISABLED_CHECKS + 1))
;;
esac
TOTAL_CHECKS=$((TOTAL_CHECKS+1))
TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
done
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS - DISABLED_CHECKS))
if [ $BATCH_MODE ]; then
BATCH_SUMMARY="AUDIT_SUMMARY "
@ -289,7 +289,7 @@ if [ $BATCH_MODE ]; then
BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%s" "$CONFORMITY_PERCENTAGE")"
else
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
@ -302,8 +302,8 @@ else
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<< "scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
CONFORMITY_PERCENTAGE=$(bc -l <<< "scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
ENABLED_CHECKS_PERCENTAGE=$(bc -l <<<"scale=2; ($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100")
CONFORMITY_PERCENTAGE=$(bc -l <<<"scale=2; ($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100")
printf "%30s %s %%\n" "Enabled Checks Percentage :" "$ENABLED_CHECKS_PERCENTAGE"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
printf "%30s %s %%\n" "Conformity Percentage :" "$CONFORMITY_PERCENTAGE"

9
bin/hardening/1.1.1.1_disable_freevxfs.sh
View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of freevxfs filesystems."
KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
@ -32,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -48,7 +47,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,7 +58,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

9
bin/hardening/1.1.1.2_disable_jffs2.sh
View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of jffs2 filesystems."
KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
@ -32,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -48,7 +47,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,7 +58,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

9
bin/hardening/1.1.1.3_disable_hfs.sh
View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of hfs filesystems."
KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_FILE="hfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
@ -32,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -48,7 +47,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,7 +58,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

9
bin/hardening/1.1.1.4_disable_hfsplus.sh
View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of hfsplus filesystems."
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_FILE="hfsplus"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
@ -32,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -48,7 +47,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,7 +58,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

9
bin/hardening/1.1.1.5_disable_udf.sh
View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of udf filesystems."
KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_FILE="udf"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
@ -32,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -48,7 +47,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,7 +58,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

9
bin/hardening/1.1.1.6_disable_cramfs.sh
View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of cramfs filesystems."
KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
@ -33,7 +32,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -50,7 +49,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -61,7 +60,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

9
bin/hardening/1.1.1.7_disable_squashfs.sh
View File

@ -20,9 +20,8 @@ DESCRIPTION="Disable mounting of squashfs filesytems."
KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_FILE="squashfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_kernel_option_enabled "$KERNEL_OPTION" $MODULE_FILE
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
@ -33,7 +32,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_kernel_option_enabled "$KERNEL_OPTION"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
@ -50,7 +49,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -61,7 +60,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.1.10_var_tmp_noexec.sh
View File

@ -22,7 +22,7 @@ PARTITION="/var/tmp"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -49,7 +49,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -73,7 +73,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -84,7 +84,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.1.11_var_log_partition.sh
View File

@ -21,7 +21,7 @@ DESCRIPTION="/var/log on separate partition."
PARTITION="/var/log"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -41,7 +41,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -60,7 +60,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -71,7 +71,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.1.12_var_log_audit_partition.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="/var/log/audit on a separate partition."
PARTITION="/var/log/audit"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -40,7 +40,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -59,7 +59,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -70,7 +70,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.1.13_home_partition.sh
View File

@ -21,7 +21,7 @@ DESCRIPTION="/home on a separate partition."
PARTITION="/home"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -41,7 +41,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -60,7 +60,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -71,7 +71,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.1.14_home_nodev.sh
View File

@ -22,7 +22,7 @@ PARTITION="/home"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -49,7 +49,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -73,7 +73,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -84,7 +84,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

6
bin/hardening/1.1.15_run_shm_nodev.sh
View File

@ -22,7 +22,7 @@ PARTITION="/run/shm"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
FNRET=0
@ -50,7 +50,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -74,7 +74,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then

6
bin/hardening/1.1.16_run_shm_nosuid.sh
View File

@ -22,7 +22,7 @@ PARTITION="/run/shm"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
FNRET=0
@ -50,7 +50,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -74,7 +74,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then

6
bin/hardening/1.1.17_run_shm_noexec.sh
View File

@ -22,7 +22,7 @@ PARTITION="/run/shm"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
PARTITION=$(readlink -e "$PARTITION")
FNRET=0
@ -50,7 +50,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -74,7 +74,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then

8
bin/hardening/1.1.18_removable_device_nodev.sh
View File

@ -24,7 +24,7 @@ PARTITION="/media\S*"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying if there is $PARTITION like partition"
FNRET=0
is_a_partition "$PARTITION"
@ -44,7 +44,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 1 ]; then
@ -61,7 +61,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -72,7 +72,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.1.19_removable_device_nosuid.sh
View File

@ -24,7 +24,7 @@ PARTITION="/media\S*"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying if there is $PARTITION like partition"
FNRET=0
is_a_partition "$PARTITION"
@ -44,7 +44,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 1 ]; then
@ -61,7 +61,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -72,7 +72,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.1.20_removable_device_noexec.sh
View File

@ -24,7 +24,7 @@ PARTITION="/media\S*"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying if there is $PARTITION like partition"
FNRET=0
is_a_partition "$PARTITION"
@ -44,7 +44,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 1 ]; then
@ -61,7 +61,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -72,7 +72,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

14
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -18,13 +18,13 @@ HARDENING_LEVEL=2
DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Checking if setuid is set on world writable Directories"
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'})
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "All world writable directories have a sticky bit"
@ -32,7 +32,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
@ -49,7 +49,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -60,7 +60,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

10
bin/hardening/1.1.22_disable_automounting.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable automounting of devices."
SERVICE_NAME="autofs"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
@ -31,12 +31,12 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled "$SERVICE_NAME"
if [ "$FNRET" = 0 ]; then
info "Disabling $SERVICE_NAME"
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
update-rc.d $SERVICE_NAME remove >/dev/null 2>&1
else
ok "$SERVICE_NAME is disabled"
fi
@ -49,7 +49,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -60,7 +60,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.1.2_tmp_partition.sh
View File

@ -21,7 +21,7 @@ DESCRIPTION="Ensure /tmp is configured (Scored)"
PARTITION="/tmp"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -41,7 +41,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -60,7 +60,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -71,7 +71,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.1.3_tmp_nodev.sh
View File

@ -22,7 +22,7 @@ PARTITION="/tmp"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -49,7 +49,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -73,7 +73,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -84,7 +84,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.1.4_tmp_nosuid.sh
View File

@ -22,7 +22,7 @@ PARTITION="/tmp"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -49,7 +49,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -73,7 +73,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -84,7 +84,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.1.5_tmp_noexec.sh
View File

@ -22,7 +22,7 @@ PARTITION="/tmp"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -49,7 +49,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -73,7 +73,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -84,7 +84,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.1.6_var_partition.sh
View File

@ -21,7 +21,7 @@ DESCRIPTION="/var on a separate partition."
PARTITION="/var"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -43,7 +43,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -62,7 +62,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -73,7 +73,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.1.7_var_tmp_partition.sh
View File

@ -21,7 +21,7 @@ DESCRIPTION="/var/tmp on a separate partition."
PARTITION="/var/tmp"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -43,7 +43,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -62,7 +62,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -73,7 +73,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.1.8_var_tmp_nodev.sh
View File

@ -22,7 +22,7 @@ PARTITION="/var/tmp"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -49,7 +49,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -73,7 +73,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -84,7 +84,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.1.9_var_tmp_nosuid.sh
View File

@ -22,7 +22,7 @@ PARTITION="/var/tmp"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
@ -49,7 +49,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ "$FNRET" = 0 ]; then
ok "$PARTITION is correctly set"
elif [ "$FNRET" = 2 ]; then
@ -73,7 +73,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -84,7 +84,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.4.1_bootloader_ownership.sh
View File

@ -25,7 +25,7 @@ GROUP='root'
PERMISSIONS='400'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
@ -42,7 +42,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
has_file_correct_ownership "$FILE" "$USER" "$GROUP"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct ownership"
@ -87,7 +87,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -98,7 +98,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.4.2_bootloader_password.sh
View File

@ -22,7 +22,7 @@ USER_PATTERN="^set superusers"
PWD_PATTERN="^password_pbkdf2"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ "$FNRET" != 0 ]; then
crit "$USER_PATTERN not present in $FILE"
@ -38,7 +38,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ "$FNRET" != 0 ]; then
warn "$USER_PATTERN not present in $FILE, please configure password for grub"
@ -69,7 +69,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -80,7 +80,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.4.3_root_password.sh
View File

@ -21,7 +21,7 @@ FILE="/etc/shadow"
PATTERN="^root:[*\!]:"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_pattern_exist_in_file $FILE $PATTERN
if [ "$FNRET" != 1 ]; then
crit "$PATTERN is present in $FILE"
@ -31,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_pattern_exist_in_file $FILE $PATTERN
if [ "$FNRET" != 1 ]; then
warn "$PATTERN is present in $FILE, please put a root password"
@ -48,7 +48,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,7 +59,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.5.1_restrict_core_dumps.sh
View File

@ -24,7 +24,7 @@ SYSCTL_PARAM='fs.suid_dumpable'
SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
SEARCH_RES=0
LIMIT_FILES=""
if $SUDO_CMD [ -d $LIMIT_DIR ]; then
@ -57,7 +57,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ "$FNRET" != 0 ]; then
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
@ -84,7 +84,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -95,7 +95,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.5.2_enable_nx_support.sh
View File

@ -34,7 +34,7 @@ nx_supported_and_enabled() {
}
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_pattern_exist_in_dmesg $PATTERN
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
@ -49,7 +49,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_pattern_exist_in_dmesg $PATTERN
if [ "$FNRET" != 0 ]; then
nx_supported_and_enabled
@ -70,7 +70,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -81,7 +81,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.5.3_enable_randomized_vm_placement.sh
View File

@ -21,7 +21,7 @@ SYSCTL_PARAM='kernel.randomize_va_space'
SYSCTL_EXP_RESULT=2
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
@ -33,7 +33,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
@ -52,7 +52,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -63,7 +63,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.5.4_disable_prelink.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable prelink to prevent libraries compromission."
PACKAGE='prelink'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
@ -31,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
@ -51,7 +51,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -62,7 +62,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.6.2.1_enable_apparmor.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Activate AppArmor to enforce permissions control."
PACKAGE='apparmor'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is absent!"
@ -49,7 +49,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
@ -87,7 +87,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -98,7 +98,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.7.1.1_remove_os_info_motd.sh
View File

@ -21,7 +21,7 @@ FILE='/etc/motd'
PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE"
@ -31,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE"
@ -48,7 +48,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,7 +59,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.7.1.2_remove_os_info_issue.sh
View File

@ -21,7 +21,7 @@ FILE='/etc/issue'
PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE"
@ -31,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE"
@ -48,7 +48,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,7 +59,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.7.1.3_remove_os_info_issue_net.sh
View File

@ -21,7 +21,7 @@ FILE='/etc/issue.net'
PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
crit "$PATTERN is present in $FILE"
@ -31,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE"
@ -48,7 +48,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,7 +59,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.7.1.4_motd_perms.sh
View File

@ -23,7 +23,7 @@ GROUP='root'
FILE='/etc/motd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
@ -44,7 +44,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
@ -73,7 +73,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -84,7 +84,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.7.1.5_etc_issue_perms.sh
View File

@ -23,7 +23,7 @@ GROUP='root'
FILE='/etc/issue'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
@ -44,7 +44,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
@ -73,7 +73,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -84,7 +84,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.7.1.6_etc_issue_net_perms.sh
View File

@ -23,7 +23,7 @@ GROUP='root'
FILE='/etc/issue.net'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
@ -44,7 +44,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
info "$FILE does not exist"
@ -73,7 +73,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -84,7 +84,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.7.2_graphical_warning_banners.sh
View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Set graphical warning banner."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -34,7 +34,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -45,7 +45,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/1.8_install_updates.sh
View File

@ -18,7 +18,7 @@ HARDENING_LEVEL=3
DESCRIPTION="Ensure updates, patches, and additional security software are installed (Not Scored)"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Checking if apt needs an update"
apt_update_if_needed
info "Fetching upgrades ..."
@ -33,7 +33,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
if [ $FNRET -gt 0 ]; then
info "Applying Upgrades..."
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
@ -50,7 +50,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -61,7 +61,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.1.1_disable_xinetd.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure xinetd is not enabled."
PACKAGE='xinetd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed"
@ -30,7 +30,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
warn "$PACKAGE is installed, purging"
@ -48,7 +48,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,7 +59,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.1.2_disable_bsd_inetd.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure bsd-inetd is not enabled."
PACKAGES='openbsd-inetd inetutils-inetd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -32,7 +32,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -52,7 +52,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -63,7 +63,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

10
bin/hardening/2.2.1.1_use_time_sync.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure time synchronization is in use"
PACKAGES="ntp chrony"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
FOUND=false
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
@ -35,7 +35,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
:
}
@ -46,7 +46,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -55,13 +55,11 @@ if [ -z "$CIS_ROOT_DIR" ]; then
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

8
bin/hardening/2.2.1.2_configure_ntp.sh
View File

@ -26,7 +26,7 @@ NTP_INIT_PATTERN='RUNASUSER=ntp'
NTP_INIT_FILE='/etc/init.d/ntp'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
@ -48,7 +48,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed"
@ -82,7 +82,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -93,7 +93,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.2.1.3_configure_chrony.sh
View File

@ -24,7 +24,7 @@ CONF_DEFAULT_PATTERN='^(server|pool)'
CONF_FILE='/etc/chrony/chrony.conf'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
@ -40,7 +40,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
:
}
@ -51,7 +51,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -62,7 +62,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.2.10_disable_http_server.sh
View File

@ -23,7 +23,7 @@ HARDENING_EXCEPTION=http
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -35,7 +35,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -55,7 +55,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -66,7 +66,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.2.11_disable_imap_pop.sh
View File

@ -23,7 +23,7 @@ HARDENING_EXCEPTION=mail
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -35,7 +35,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -55,7 +55,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -66,7 +66,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.2.12_disable_samba.sh
View File

@ -23,7 +23,7 @@ PACKAGES='samba'
SERVICE='smbd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -41,7 +41,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -68,7 +68,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -79,7 +79,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.2.13_disable_http_proxy.sh
View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=http
PACKAGES='squid3 squid'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -54,7 +54,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -65,7 +65,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.2.14_disable_snmp_server.sh
View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=snmp
PACKAGES='snmpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -54,7 +54,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -65,7 +65,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

12
bin/hardening/2.2.15_mta_localhost.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode."
HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Checking netport ports opened"
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
@ -29,7 +29,7 @@ audit () {
ok "Nothing listens on 25 port, probably unix socket configured"
else
info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<< $RESULT); then
if $(grep -q "127.0.0.1" <<<$RESULT); then
ok "MTA is configured to localhost only"
else
crit "MTA listens worldwide"
@ -38,7 +38,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Checking netport ports opened"
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
@ -47,7 +47,7 @@ apply () {
ok "Nothing listens on 25 port, probably unix socket configured"
else
info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<< $RESULT); then
if $(grep -q "127.0.0.1" <<<$RESULT); then
ok "MTA is configured to localhost only"
else
warn "MTA listens worldwide, correct this considering your MTA"
@ -63,7 +63,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -74,7 +74,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.2.16_disable_rsync.sh
View File

@ -25,7 +25,7 @@ RSYNC_DEFAULT_FILE='/etc/default/rsync'
RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed"
@ -41,7 +41,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
ok "$PACKAGE is not installed"
@ -65,7 +65,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -76,7 +76,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

10
bin/hardening/2.2.18_disable_telnet_server.sh
View File

@ -25,7 +25,7 @@ FILE='/etc/inetd.conf'
PATTERN='^telnet'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -48,7 +48,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -67,7 +67,7 @@ apply () {
if [ "$FNRET" = 0 ]; then
warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<<$PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN is not present in $FILE"
@ -83,7 +83,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -94,7 +94,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.2.2_disable_xwindow_system.sh
View File

@ -23,7 +23,7 @@ HARDENING_EXCEPTION=x11
PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -35,7 +35,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -55,7 +55,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -66,7 +66,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.2.3_disable_avahi_server.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure Avahi server is not enabled."
PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -32,7 +32,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -52,7 +52,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -63,7 +63,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.2.4_disable_print_server.sh
View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=cups
PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -54,7 +54,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -65,7 +65,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.2.5_disable_dhcp.sh
View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=dhcp
PACKAGES='udhcpd isc-dhcp-server'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -54,7 +54,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -65,7 +65,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.2.6_disable_ldap.sh
View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=ldap
PACKAGES='slapd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -54,7 +54,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -65,7 +65,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.2.7_disable_nfs_rpc.sh
View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=nfs
PACKAGES='rpcbind nfs-kernel-server'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -54,7 +54,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -65,7 +65,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.2.8_disable_dns_server.sh
View File

@ -22,7 +22,7 @@ HARDENING_EXCEPTION=dns
PACKAGES='bind9 unbound'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -34,7 +34,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -54,7 +54,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -65,7 +65,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.2.9_disable_ftp.sh
View File

@ -23,7 +23,7 @@ HARDENING_EXCEPTION=ftp
PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -35,7 +35,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -55,7 +55,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -66,7 +66,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.3.1_disable_nis.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure that Network Information Service is not installed. Recommend
PACKAGE='nis'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed!"
@ -31,7 +31,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
crit "$PACKAGE is installed, purging it"
@ -49,7 +49,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -60,7 +60,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.3.2_disable_rsh_client.sh
View File

@ -21,7 +21,7 @@ DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh."
PACKAGES='rsh-client rsh-redone-client heimdal-clients'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -33,7 +33,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -53,7 +53,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -64,7 +64,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.3.3_disable_talk_client.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure talk client is not installed."
PACKAGES='talk inetutils-talk'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -32,7 +32,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -52,7 +52,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -63,7 +63,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.3.4_disable_telnet_client.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure telnet client is not installed."
PACKAGES='telnet'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -32,7 +32,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -52,7 +52,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -63,7 +63,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/2.3.5_disable_ldap_client.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ensure ldap client is not installed."
PACKAGES='ldap-utils'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -32,7 +32,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for PACKAGE in $PACKAGES; do
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
@ -52,7 +52,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -63,7 +63,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

11
bin/hardening/3.1.1_disable_ip_forwarding.sh
View File

@ -1,6 +1,5 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
@ -23,7 +22,7 @@ SYSCTL_PARAMS='net.ipv4.ip_forward net.ipv6.conf.all.forwarding'
SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_PARAM in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
@ -40,13 +39,13 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_PARAM in $SYSCTL_PARAMS; do
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -62,7 +61,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -73,7 +72,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

10
bin/hardening/3.1.2_disable_send_packet_redirects.sh
View File

@ -22,7 +22,7 @@ DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption.
SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -39,7 +39,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -48,7 +48,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -64,7 +64,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -75,7 +75,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

10
bin/hardening/3.2.1_disable_source_routed_packets.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable source routed packet acceptance."
SYSCTL_PARAMS=''
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
@ -40,7 +40,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -49,7 +49,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT value -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -73,7 +73,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -84,7 +84,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

10
bin/hardening/3.2.2_disable_icmp_redirect.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruptio
SYSCTL_PARAMS=''
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
@ -41,7 +41,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -50,7 +50,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -74,7 +74,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -85,7 +85,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

10
bin/hardening/3.2.3_disable_secure_icmp_redirect.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable secure ICMP redirect acceptance to prevent routing tables c
SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -62,7 +62,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -73,7 +73,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

10
bin/hardening/3.2.4_log_martian_packets.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Log suspicious packets, like spoofed packets."
SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -62,7 +62,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -73,7 +73,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

10
bin/hardening/3.2.5_ignore_broadcast_requests.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Ignore broadcast requests to prevent attacks such as Smurf attack."
SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -62,7 +62,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -73,7 +73,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

10
bin/hardening/3.2.6_enable_bad_error_message_protection.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Enable bad error message protection to prevent logfiles fillup."
SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -62,7 +62,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -73,7 +73,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

10
bin/hardening/3.2.7_enable_source_route_validation.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Enable RFC-recommended source route validation."
SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -62,7 +62,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -73,7 +73,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

10
bin/hardening/3.2.8_enable_tcp_syn_cookies.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Enable TCP-SYN cookie to prevent TCP-SYN flood attack."
SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -37,7 +37,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
for SYSCTL_VALUES in $SYSCTL_PARAMS; do
SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1)
SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2)
@ -46,7 +46,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -62,7 +62,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -73,7 +73,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

10
bin/hardening/3.2.9_disable_ipv6_router_advertisement.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable IPv6 router advertisements."
SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled"
@ -42,7 +42,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled"
@ -55,7 +55,7 @@ apply () {
if [ "$FNRET" != 0 ]; then
warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
sysctl -w net.ipv4.route.flush=1 > /dev/null
sysctl -w net.ipv4.route.flush=1 >/dev/null
elif [ "$FNRET" = 255 ]; then
warn "$SYSCTL_PARAM does not exist -- Typo?"
else
@ -72,7 +72,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -83,7 +83,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/3.3.1_install_tcp_wrapper.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Install TCP wrappers for simple access list management and standard
PACKAGE='tcpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
@ -30,7 +30,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed"
@ -47,7 +47,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -58,7 +58,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/3.3.2_hosts_allow.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Create /etc/hosts.allow ."
FILE='/etc/hosts.allow'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
@ -30,7 +30,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it"
@ -48,7 +48,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -59,7 +59,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/3.3.3_hosts_deny.sh
View File

@ -21,7 +21,7 @@ FILE='/etc/hosts.deny'
PATTERN='ALL: ALL'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
@ -37,7 +37,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it"
@ -62,7 +62,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -73,7 +73,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/3.3.4_hosts_allow_permissions.sh
View File

@ -23,7 +23,7 @@ USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
@ -39,7 +39,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
@ -56,7 +56,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -67,7 +67,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/3.3.5_hosts_deny_permissions.sh
View File

@ -23,7 +23,7 @@ USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
@ -39,7 +39,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
has_file_correct_permissions "$FILE" "$PERMISSIONS"
if [ "$FNRET" = 0 ]; then
ok "$FILE has correct permissions"
@ -56,7 +56,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -67,7 +67,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/3.4.1_disable_dccp.sh
View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=2
DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -34,7 +34,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -45,7 +45,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/3.4.2_disable_sctp.sh
View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=2
DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -34,7 +34,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -45,7 +45,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/3.4.3_disable_rds.sh
View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=2
DESCRIPTION="Disable Reliable Datagram Sockets (RDS)."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -34,7 +34,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -45,7 +45,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/3.4.4_disable_tipc.sh
View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=2
DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -34,7 +34,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -45,7 +45,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/3.5.1.1_net_fw_default_policy_drop.sh
View File

@ -22,12 +22,12 @@ FW_CHAINS="INPUT FORWARD"
FW_POLICY="DROP"
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
else
ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true )
ipt=$($SUDO_CMD $PACKAGE -nL 2>/dev/null || true)
if [[ -z $ipt ]]; then
crit "Empty return from $PACKAGE command. Aborting..."
return
@ -50,7 +50,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
:
}
@ -61,7 +61,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then

8
bin/hardening/3.5_enable_firewall.sh
View File

@ -23,7 +23,7 @@ DESCRIPTION="Ensure firewall is active (iptables is installed, does not check fo
PACKAGE='iptables'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" != 0 ]; then
crit "$PACKAGE is not installed!"
@ -33,7 +33,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
is_pkg_installed "$PACKAGE"
if [ "$FNRET" = 0 ]; then
ok "$PACKAGE is installed"
@ -50,7 +50,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -61,7 +61,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/3.6_disable_wireless.sh
View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Deactivate wireless interfaces."
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
info "Not implemented yet"
}
@ -34,7 +34,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -57,7 +57,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/3.7_disable_ipv6.sh
View File

@ -20,7 +20,7 @@ DESCRIPTION="Disable IPv6."
SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled"
@ -42,7 +42,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_sysctl_param_exists "net.ipv6"
if [ "$FNRET" != 0 ]; then
ok "ipv6 is disabled"
@ -72,7 +72,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -83,7 +83,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/4.1.1.1_audit_log_storage.sh
View File

@ -22,7 +22,7 @@ PATTERN='max_log_file'
VALUE=5
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
@ -38,7 +38,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it"
@ -62,7 +62,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -73,7 +73,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

10
bin/hardening/4.1.1.2_halt_when_audit_log_full.sh
View File

@ -21,7 +21,7 @@ FILE='/etc/audit/auditd.conf'
OPTIONS=''
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
@ -43,7 +43,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it"
@ -79,7 +79,7 @@ check_config() {
}
create_config() {
cat << EOF
cat <<EOF
# shellcheck disable=2034
status=audit
# Put here the conf for auditd
@ -89,7 +89,7 @@ EOF
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -100,7 +100,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/4.1.1.3_keep_all_audit_logs.sh
View File

@ -21,7 +21,7 @@ FILE='/etc/audit/auditd.conf'
OPTIONS='max_log_file_action=keep_logs'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
crit "$FILE does not exist"
@ -43,7 +43,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
does_file_exist $FILE
if [ "$FNRET" != 0 ]; then
warn "$FILE does not exist, creating it"
@ -80,7 +80,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -91,7 +91,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

8
bin/hardening/4.1.10_record_dac_edit.sh
View File

@ -26,7 +26,7 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>
FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
audit() {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
@ -46,7 +46,7 @@ audit () {
}
# This function will be called if the script status is on enabled mode
apply () {
apply() {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
@ -68,7 +68,7 @@ check_config() {
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
@ -79,7 +79,7 @@ fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
# shellcheck source=../../lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"

Some files were not shown because too many files have changed in this diff Show More