From 676b17c54f1594c43ef37745b72de6bbbe7beee7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Thu, 18 May 2017 18:40:09 +0200 Subject: [PATCH] add hardening templating and several enhancements --- AUTHORS | 1 + bin/hardening.sh | 93 ++++++++++++++++++- bin/hardening/1.1_install_updates.sh | 2 + bin/hardening/10.1.1_set_password_exp_days.sh | 2 + .../10.1.2_set_password_min_days_change.sh | 2 + .../10.1.3_set_password_exp_warning_days.sh | 2 + bin/hardening/10.2_disable_system_accounts.sh | 11 +++ bin/hardening/10.3_default_root_group.sh | 2 + bin/hardening/10.4_default_umask.sh | 2 + .../10.5_lock_inactive_user_account.sh | 2 + bin/hardening/11.1_warning_banners.sh | 2 + .../11.2_remove_os_info_warning_banners.sh | 2 + .../11.3_graphical_warning_banners.sh | 2 + bin/hardening/12.10_find_suid_files.sh | 11 +++ bin/hardening/12.11_find_sgid_files.sh | 11 +++ bin/hardening/12.1_etc_passwd_permissions.sh | 2 + bin/hardening/12.2_etc_shadow_permissions.sh | 2 + bin/hardening/12.3_etc_group_permissions.sh | 2 + bin/hardening/12.4_etc_passwd_ownership.sh | 2 + bin/hardening/12.5_etc_shadow_ownership.sh | 2 + bin/hardening/12.6_etc_group_ownership.sh | 2 + .../12.7_find_world_writable_file.sh | 2 + bin/hardening/12.8_find_unowned_files.sh | 2 + bin/hardening/12.9_find_ungrouped_files.sh | 2 + bin/hardening/13.10_find_user_rhosts_files.sh | 2 + ...13.11_find_passwd_group_inconsistencies.sh | 2 + bin/hardening/13.12_users_valid_homedir.sh | 2 + .../13.13_check_user_homedir_ownership.sh | 2 + bin/hardening/13.14_check_duplicate_uid.sh | 2 + bin/hardening/13.15_check_duplicate_gid.sh | 2 + .../13.16_check_duplicate_username.sh | 2 + .../13.17_check_duplicate_groupname.sh | 2 + bin/hardening/13.18_find_user_netrc_files.sh | 2 + .../13.19_find_user_forward_files.sh | 2 + .../13.1_remove_empty_password_field.sh | 2 + bin/hardening/13.20_shadow_group_empty.sh | 2 + .../13.2_remove_legacy_passwd_entries.sh | 2 + .../13.3_remove_legacy_shadow_entries.sh | 2 + .../13.4_remove_legacy_group_entries.sh | 2 + .../13.5_find_0_uid_non_root_account.sh | 13 ++- bin/hardening/13.6_sanitize_root_path.sh | 2 + bin/hardening/13.7_check_user_dir_perm.sh | 11 +++ .../13.8_check_user_dot_file_perm.sh | 2 + bin/hardening/13.9_set_perm_on_user_netrc.sh | 2 + bin/hardening/2.10_home_nodev.sh | 2 + bin/hardening/2.11_removable_device_nodev.sh | 2 + bin/hardening/2.12_removable_device_noexec.sh | 2 + bin/hardening/2.13_removable_device_nosuid.sh | 2 + bin/hardening/2.14_run_shm_nodev.sh | 2 + bin/hardening/2.15_run_shm_nosuid.sh | 2 + bin/hardening/2.16_run_shm_noexec.sh | 2 + .../2.17_sticky_bit_world_writable_folder.sh | 2 + bin/hardening/2.18_disable_cramfs.sh | 8 +- bin/hardening/2.19_disable_freevxfs.sh | 8 +- bin/hardening/2.1_tmp_partition.sh | 2 + bin/hardening/2.20_disable_jffs2.sh | 8 +- bin/hardening/2.21_disable_hfs.sh | 8 +- bin/hardening/2.22_disable_hfsplus.sh | 8 +- bin/hardening/2.23_disable_squashfs.sh | 8 +- bin/hardening/2.24_disable_udf.sh | 8 +- bin/hardening/2.25_disable_automounting.sh | 2 + bin/hardening/2.2_tmp_nodev.sh | 2 + bin/hardening/2.3_tmp_nosuid.sh | 2 + bin/hardening/2.4_tmp_noexec.sh | 2 + bin/hardening/2.5_var_partition.sh | 2 + bin/hardening/2.6.1_var_tmp_partition.sh | 2 + bin/hardening/2.6.2_var_tmp_nodev.sh | 2 + bin/hardening/2.6.3_var_tmp_nosuid.sh | 2 + bin/hardening/2.6.4_var_tmp_noexec.sh | 2 + bin/hardening/2.7_var_log_partition.sh | 2 + bin/hardening/2.8_var_log_audit_partition.sh | 2 + bin/hardening/2.9_home_partition.sh | 2 + bin/hardening/3.1_bootloader_ownership.sh | 2 + bin/hardening/3.2_bootloader_permissions.sh | 2 + bin/hardening/3.3_bootloader_password.sh | 2 + bin/hardening/3.4_root_password.sh | 2 + bin/hardening/4.1_restrict_core_dumps.sh | 2 + bin/hardening/4.2_enable_nx_support.sh | 30 +++++- .../4.3_enable_randomized_vm_placement.sh | 2 + bin/hardening/4.4_disable_prelink.sh | 2 + bin/hardening/4.5_enable_apparmor.sh | 2 + bin/hardening/5.1.1_disable_nis.sh | 2 + bin/hardening/5.1.2_disable_rsh.sh | 2 + bin/hardening/5.1.3_disable_rsh_client.sh | 2 + bin/hardening/5.1.4_disable_talk.sh | 2 + bin/hardening/5.1.5_disable_talk_client.sh | 2 + bin/hardening/5.1.6_disable_telnet_server.sh | 2 + bin/hardening/5.1.7_disable_tftp_server.sh | 2 + bin/hardening/5.1.8_disable_inetd.sh | 2 + bin/hardening/5.2_disable_chargen.sh | 2 + bin/hardening/5.3_disable_daytime.sh | 2 + bin/hardening/5.4_disable_echo.sh | 2 + bin/hardening/5.5_disable_discard.sh | 2 + bin/hardening/5.6_disable_time.sh | 2 + bin/hardening/6.10_disable_http_server.sh | 3 + bin/hardening/6.11_disable_imap_pop.sh | 3 + bin/hardening/6.12_disable_samba.sh | 3 + bin/hardening/6.13_disable_http_proxy.sh | 3 + bin/hardening/6.14_disable_snmp_server.sh | 3 + bin/hardening/6.15_mta_localhost.sh | 3 + bin/hardening/6.16_disable_rsync.sh | 3 + bin/hardening/6.1_disable_xwindow_system.sh | 3 + bin/hardening/6.2_disable_avahi_server.sh | 2 + bin/hardening/6.3_disable_print_server.sh | 3 + bin/hardening/6.4_disable_dhcp.sh | 3 + bin/hardening/6.5_configure_ntp.sh | 3 + bin/hardening/6.6_disable_ldap.sh | 3 + bin/hardening/6.7_disable_nfs_rpc.sh | 3 + bin/hardening/6.8_disable_dns_server.sh | 3 + bin/hardening/6.9_disable_ftp.sh | 3 + bin/hardening/7.1.1_disable_ip_forwarding.sh | 3 + .../7.1.2_disable_send_packet_redirects.sh | 3 + .../7.2.1_disable_source_routed_packets.sh | 2 + bin/hardening/7.2.2_disable_icmp_redirect.sh | 2 + .../7.2.3_disable_secure_icmp_redirect.sh | 2 + bin/hardening/7.2.4_log_martian_packets.sh | 2 + .../7.2.5_ignore_broadcast_requests.sh | 2 + ...2.6_enable_bad_error_message_protection.sh | 2 + .../7.2.7_enable_source_route_validation.sh | 2 + bin/hardening/7.2.8_enable_tcp_syn_cookies.sh | 2 + ...7.3.1_disable_ipv6_router_advertisement.sh | 2 + bin/hardening/7.3.2_disable_ipv6_redirect.sh | 2 + bin/hardening/7.3.3_disable_ipv6.sh | 2 + bin/hardening/7.4.1_install_tcp_wrapper.sh | 2 + bin/hardening/7.4.2_hosts_allow.sh | 2 + .../7.4.3_hosts_allow_permissions.sh | 2 + bin/hardening/7.4.4_hosts_deny.sh | 2 + bin/hardening/7.4.5_hosts_deny_permissions.sh | 2 + bin/hardening/7.5.1_disable_dccp.sh | 2 + bin/hardening/7.5.2_disable_sctp.sh | 2 + bin/hardening/7.5.3_disable_rds.sh | 2 + bin/hardening/7.5.4_disable_tipc.sh | 2 + bin/hardening/7.6_disable_wireless.sh | 2 + bin/hardening/7.7_enable_firewall.sh | 2 + bin/hardening/8.0_enable_auditd_kernel.sh | 2 + bin/hardening/8.1.1.1_audit_log_storage.sh | 2 + .../8.1.1.2_halt_when_audit_log_full.sh | 2 + bin/hardening/8.1.1.3_keep_all_audit_logs.sh | 2 + bin/hardening/8.1.10_record_dac_edit.sh | 2 + .../8.1.11_record_failed_access_file.sh | 2 + .../8.1.12_record_privileged_commands.sh | 2 + .../8.1.13_record_successful_mount.sh | 2 + bin/hardening/8.1.14_record_file_deletions.sh | 2 + bin/hardening/8.1.15_record_sudoers_edit.sh | 2 + bin/hardening/8.1.16_record_sudo_usage.sh | 2 + bin/hardening/8.1.17_record_kernel_modules.sh | 2 + bin/hardening/8.1.18_freeze_auditd_conf.sh | 2 + bin/hardening/8.1.2_enable_auditd.sh | 2 + bin/hardening/8.1.3_audit_bootloader.sh | 2 + bin/hardening/8.1.4_record_date_time_edit.sh | 2 + bin/hardening/8.1.5_record_user_group_edit.sh | 2 + bin/hardening/8.1.6_record_network_edit.sh | 2 + bin/hardening/8.1.7_record_mac_edit.sh | 2 + bin/hardening/8.1.8_record_login_logout.sh | 2 + bin/hardening/8.1.9_record_session_init.sh | 2 + bin/hardening/8.2.1_install_syslog-ng.sh | 2 + bin/hardening/8.2.2_enable_syslog-ng.sh | 2 + bin/hardening/8.2.3_configure_syslog-ng.sh | 2 + bin/hardening/8.2.4_set_logfile_perm.sh | 10 ++ bin/hardening/8.2.5_syslog-ng_remote_host.sh | 10 ++ bin/hardening/8.2.6_remote_syslog-ng_acl.sh | 2 + bin/hardening/8.3.1_install_tripwire.sh | 2 + bin/hardening/8.3.2_tripwire_cron.sh | 2 + bin/hardening/8.4_configure_logrotate.sh | 2 + bin/hardening/9.1.1_enable_cron.sh | 2 + bin/hardening/9.1.2_crontab_perm_ownership.sh | 2 + .../9.1.3_cron_hourly_perm_ownership.sh | 2 + .../9.1.4_cron_daily_perm_ownership.sh | 2 + .../9.1.5_cron_weekly_perm_ownership.sh | 2 + .../9.1.6_cron_monthly_perm_ownership.sh | 2 + bin/hardening/9.1.7_cron_d_perm_ownership.sh | 2 + bin/hardening/9.1.8_cron_users.sh | 2 + bin/hardening/9.2.1_enable_cracklib.sh | 2 + .../9.2.2_enable_lockout_failed_password.sh | 2 + bin/hardening/9.2.3_limit_password_reuse.sh | 2 + bin/hardening/9.3.10_disable_sshd_setenv.sh | 2 + bin/hardening/9.3.11_sshd_ciphers.sh | 2 + bin/hardening/9.3.12_sshd_idle_timeout.sh | 13 +++ bin/hardening/9.3.13_sshd_limit_access.sh | 15 +++ bin/hardening/9.3.14_ssh_banner.sh | 11 +++ bin/hardening/9.3.1_sshd_protocol.sh | 2 + bin/hardening/9.3.2_sshd_loglevel.sh | 2 + .../9.3.3_sshd_conf_perm_ownership.sh | 2 + bin/hardening/9.3.4_disable_x11_forwarding.sh | 2 + bin/hardening/9.3.5_sshd_maxauthtries.sh | 2 + .../9.3.6_enable_sshd_ignorerhosts.sh | 2 + ....7_disable_sshd_hostbasedauthentication.sh | 2 + bin/hardening/9.3.8_disable_root_login.sh | 2 + ...9.3.9_disable_sshd_permitemptypasswords.sh | 2 + bin/hardening/9.4_secure_tty.sh | 2 + bin/hardening/9.5_restrict_su.sh | 2 + etc/conf.d/.gitignore | 1 + etc/conf.d/1.1_install_updates.cfg | 2 - etc/conf.d/10.1.1_set_password_exp_days.cfg | 2 - .../10.1.2_set_password_min_days_change.cfg | 2 - .../10.1.3_set_password_exp_warning_days.cfg | 2 - etc/conf.d/10.2_disable_system_accounts.cfg | 4 - etc/conf.d/10.3_default_root_group.cfg | 2 - etc/conf.d/10.4_default_umask.cfg | 2 - .../10.5_lock_inactive_user_account.cfg | 2 - etc/conf.d/11.1_warning_banners.cfg | 2 - .../11.2_remove_os_info_warning_banners.cfg | 2 - etc/conf.d/11.3_graphical_warning_banners.cfg | 2 - etc/conf.d/12.10_find_suid_files.cfg | 5 - etc/conf.d/12.11_find_sgid_files.cfg | 4 - etc/conf.d/12.1_etc_passwd_permissions.cfg | 2 - etc/conf.d/12.2_etc_shadow_permissions.cfg | 2 - etc/conf.d/12.3_etc_group_permissions.cfg | 2 - etc/conf.d/12.4_etc_passwd_ownership.cfg | 2 - etc/conf.d/12.5_etc_shadow_ownership.cfg | 2 - etc/conf.d/12.6_etc_group_ownership.cfg | 2 - etc/conf.d/12.7_find_world_writable_file.cfg | 2 - etc/conf.d/12.8_find_unowned_files.cfg | 2 - etc/conf.d/12.9_find_ungrouped_files.cfg | 2 - etc/conf.d/13.10_find_user_rhosts_files.cfg | 2 - ...3.11_find_passwd_group_inconsistencies.cfg | 2 - etc/conf.d/13.12_users_valid_homedir.cfg | 2 - .../13.13_check_user_homedir_ownership.cfg | 2 - etc/conf.d/13.14_check_duplicate_uid.cfg | 2 - etc/conf.d/13.15_check_duplicate_gid.cfg | 2 - etc/conf.d/13.16_check_duplicate_username.cfg | 2 - .../13.17_check_duplicate_groupname.cfg | 2 - etc/conf.d/13.18_find_user_netrc_files.cfg | 2 - etc/conf.d/13.19_find_user_forward_files.cfg | 2 - .../13.1_remove_empty_password_field.cfg | 2 - etc/conf.d/13.20_shadow_group_empty.cfg | 2 - .../13.2_remove_legacy_passwd_entries.cfg | 2 - .../13.3_remove_legacy_shadow_entries.cfg | 2 - .../13.4_remove_legacy_group_entries.cfg | 2 - .../13.5_find_0_uid_non_root_account.cfg | 4 - etc/conf.d/13.6_sanitize_root_path.cfg | 2 - etc/conf.d/13.7_check_user_dir_perm.cfg | 4 - etc/conf.d/13.8_check_user_dot_file_perm.cfg | 2 - etc/conf.d/13.9_set_perm_on_user_netrc.cfg | 2 - etc/conf.d/2.10_home_nodev.cfg | 2 - etc/conf.d/2.11_removable_device_nodev.cfg | 2 - etc/conf.d/2.12_removable_device_noexec.cfg | 2 - etc/conf.d/2.13_removable_device_nosuid.cfg | 2 - etc/conf.d/2.14_run_shm_nodev.cfg | 2 - etc/conf.d/2.15_run_shm_nosuid.cfg | 2 - etc/conf.d/2.16_run_shm_noexec.cfg | 2 - .../2.17_sticky_bit_world_writable_folder.cfg | 2 - etc/conf.d/2.18_disable_cramfs.cfg | 2 - etc/conf.d/2.19_disable_freevxfs.cfg | 2 - etc/conf.d/2.1_tmp_partition.cfg | 2 - etc/conf.d/2.20_disable_jffs2.cfg | 2 - etc/conf.d/2.21_disable_hfs.cfg | 2 - etc/conf.d/2.22_disable_hfsplus.cfg | 2 - etc/conf.d/2.23_disable_squashfs.cfg | 2 - etc/conf.d/2.24_disable_udf.cfg | 2 - etc/conf.d/2.25_disable_automounting.cfg | 2 - etc/conf.d/2.2_tmp_nodev.cfg | 2 - etc/conf.d/2.3_tmp_nosuid.cfg | 2 - etc/conf.d/2.4_tmp_noexec.cfg | 2 - etc/conf.d/2.5_var_partition.cfg | 2 - etc/conf.d/2.6.1_var_tmp_partition.cfg | 2 - etc/conf.d/2.6.2_var_tmp_nodev.cfg | 2 - etc/conf.d/2.6.3_var_tmp_nosuid.cfg | 2 - etc/conf.d/2.6.4_var_tmp_noexec.cfg | 2 - etc/conf.d/2.7_var_log_partition.cfg | 2 - etc/conf.d/2.8_var_log_audit_partition.cfg | 2 - etc/conf.d/2.9_home_partition.cfg | 2 - etc/conf.d/3.1_bootloader_ownership.cfg | 2 - etc/conf.d/3.2_bootloader_permissions.cfg | 2 - etc/conf.d/3.3_bootloader_password.cfg | 2 - etc/conf.d/3.4_root_password.cfg | 2 - etc/conf.d/4.1_restrict_core_dumps.cfg | 2 - etc/conf.d/4.2_enable_nx_support.cfg | 2 - .../4.3_enable_randomized_vm_placement.cfg | 2 - etc/conf.d/4.4_disable_prelink.cfg | 2 - etc/conf.d/4.5_enable_apparmor.cfg | 2 - etc/conf.d/5.1.1_disable_nis.cfg | 2 - etc/conf.d/5.1.2_disable_rsh.cfg | 2 - etc/conf.d/5.1.3_disable_rsh_client.cfg | 2 - etc/conf.d/5.1.4_disable_talk.cfg | 2 - etc/conf.d/5.1.5_disable_talk_client.cfg | 2 - etc/conf.d/5.1.6_disable_telnet_server.cfg | 2 - etc/conf.d/5.1.7_disable_tftp_server.cfg | 2 - etc/conf.d/5.1.8_disable_inetd.cfg | 2 - etc/conf.d/5.2_disable_chargen.cfg | 2 - etc/conf.d/5.3_disable_daytime.cfg | 2 - etc/conf.d/5.4_disable_echo.cfg | 2 - etc/conf.d/5.5_disable_discard.cfg | 2 - etc/conf.d/5.6_disable_time.cfg | 2 - etc/conf.d/6.10_disable_http_server.cfg | 2 - etc/conf.d/6.11_disable_imap_pop.cfg | 2 - etc/conf.d/6.12_disable_samba.cfg | 2 - etc/conf.d/6.13_disable_http_proxy.cfg | 2 - etc/conf.d/6.14_disable_snmp_server.cfg | 2 - etc/conf.d/6.15_mta_localhost.cfg | 2 - etc/conf.d/6.16_disable_rsync.cfg | 2 - etc/conf.d/6.1_disable_xwindow_system.cfg | 2 - etc/conf.d/6.2_disable_avahi_server.cfg | 2 - etc/conf.d/6.3_disable_print_server.cfg | 2 - etc/conf.d/6.4_disable_dhcp.cfg | 2 - etc/conf.d/6.5_configure_ntp.cfg | 2 - etc/conf.d/6.6_disable_ldap.cfg | 2 - etc/conf.d/6.7_disable_nfs_rpc.cfg | 2 - etc/conf.d/6.8_disable_dns_server.cfg | 2 - etc/conf.d/6.9_disable_ftp.cfg | 2 - etc/conf.d/7.1.1_disable_ip_forwarding.cfg | 2 - .../7.1.2_disable_send_packet_redirects.cfg | 2 - .../7.2.1_disable_source_routed_packets.cfg | 2 - etc/conf.d/7.2.2_disable_icmp_redirect.cfg | 2 - .../7.2.3_disable_secure_icmp_redirect.cfg | 2 - etc/conf.d/7.2.4_log_martian_packets.cfg | 2 - .../7.2.5_ignore_broadcast_requests.cfg | 2 - ....6_enable_bad_error_message_protection.cfg | 2 - .../7.2.7_enable_source_route_validation.cfg | 2 - etc/conf.d/7.2.8_enable_tcp_syn_cookies.cfg | 2 - ....3.1_disable_ipv6_router_advertisement.cfg | 2 - etc/conf.d/7.3.2_disable_ipv6_redirect.cfg | 2 - etc/conf.d/7.3.3_disable_ipv6.cfg | 2 - etc/conf.d/7.4.1_install_tcp_wrapper.cfg | 2 - etc/conf.d/7.4.2_hosts_allow.cfg | 2 - etc/conf.d/7.4.3_hosts_allow_permissions.cfg | 2 - etc/conf.d/7.4.4_hosts_deny.cfg | 2 - etc/conf.d/7.4.5_hosts_deny_permissions.cfg | 2 - etc/conf.d/7.5.1_disable_dccp.cfg | 2 - etc/conf.d/7.5.2_disable_sctp.cfg | 2 - etc/conf.d/7.5.3_disable_rds.cfg | 2 - etc/conf.d/7.5.4_disable_tipc.cfg | 2 - etc/conf.d/7.6_disable_wireless.cfg | 2 - etc/conf.d/7.7_enable_firewall.cfg | 2 - etc/conf.d/8.0_enable_auditd_kernel.cfg | 2 - etc/conf.d/8.1.1.1_audit_log_storage.cfg | 2 - .../8.1.1.2_halt_when_audit_log_full.cfg | 2 - etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg | 2 - etc/conf.d/8.1.10_record_dac_edit.cfg | 2 - .../8.1.11_record_failed_access_file.cfg | 2 - .../8.1.12_record_privileged_commands.cfg | 2 - etc/conf.d/8.1.13_record_successful_mount.cfg | 2 - etc/conf.d/8.1.14_record_file_deletions.cfg | 2 - etc/conf.d/8.1.15_record_sudoers_edit.cfg | 2 - etc/conf.d/8.1.16_record_sudo_usage.cfg | 2 - etc/conf.d/8.1.17_record_kernel_modules.cfg | 2 - etc/conf.d/8.1.18_freeze_auditd_conf.cfg | 2 - etc/conf.d/8.1.2_enable_auditd.cfg | 2 - etc/conf.d/8.1.3_audit_bootloader.cfg | 2 - etc/conf.d/8.1.4_record_date_time_edit.cfg | 2 - etc/conf.d/8.1.5_record_user_group_edit.cfg | 2 - etc/conf.d/8.1.6_record_network_edit.cfg | 2 - etc/conf.d/8.1.7_record_mac_edit.cfg | 2 - etc/conf.d/8.1.8_record_login_logout.cfg | 2 - etc/conf.d/8.1.9_record_session_init.cfg | 2 - etc/conf.d/8.2.1_install_syslog-ng.cfg | 2 - etc/conf.d/8.2.2_enable_syslog-ng.cfg | 2 - etc/conf.d/8.2.3_configure_syslog-ng.cfg | 2 - etc/conf.d/8.2.4_set_logfile_perm.cfg | 3 - etc/conf.d/8.2.5_syslog-ng_remote_host.cfg | 3 - etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg | 2 - etc/conf.d/8.3.1_install_tripwire.cfg | 2 - etc/conf.d/8.3.2_tripwire_cron.cfg | 2 - etc/conf.d/8.4_configure_logrotate.cfg | 2 - etc/conf.d/9.1.1_enable_cron.cfg | 2 - etc/conf.d/9.1.2_crontab_perm_ownership.cfg | 2 - .../9.1.3_cron_hourly_perm_ownership.cfg | 2 - .../9.1.4_cron_daily_perm_ownership.cfg | 2 - .../9.1.5_cron_weekly_perm_ownership.cfg | 2 - .../9.1.6_cron_monthly_perm_ownership.cfg | 2 - etc/conf.d/9.1.7_cron_d_perm_ownership.cfg | 2 - etc/conf.d/9.1.8_cron_users.cfg | 2 - etc/conf.d/9.2.1_enable_cracklib.cfg | 2 - .../9.2.2_enable_lockout_failed_password.cfg | 2 - etc/conf.d/9.2.3_limit_password_reuse.cfg | 2 - etc/conf.d/9.3.10_disable_sshd_setenv.cfg | 2 - etc/conf.d/9.3.11_sshd_ciphers.cfg | 2 - etc/conf.d/9.3.12_sshd_idle_timeout.cfg | 5 - etc/conf.d/9.3.13_sshd_limit_access.cfg | 9 -- etc/conf.d/9.3.14_ssh_banner.cfg | 4 - etc/conf.d/9.3.1_sshd_protocol.cfg | 2 - etc/conf.d/9.3.2_sshd_loglevel.cfg | 2 - etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg | 2 - etc/conf.d/9.3.4_disable_x11_forwarding.cfg | 2 - etc/conf.d/9.3.5_sshd_maxauthtries.cfg | 2 - etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg | 2 - ...7_disable_sshd_hostbasedauthentication.cfg | 2 - etc/conf.d/9.3.8_disable_root_login.cfg | 2 - ....3.9_disable_sshd_permitemptypasswords.cfg | 2 - etc/conf.d/9.4_secure_tty.cfg | 2 - etc/conf.d/9.5_restrict_su.cfg | 2 - etc/conf.d/99.1_timeout_tty.cfg | 2 - etc/conf.d/99.2_disable_usb_devices.cfg | 2 - lib/common.sh | 6 +- lib/main.sh | 48 +++++++--- lib/utils.sh | 33 ++++++- 386 files changed, 701 insertions(+), 449 deletions(-) delete mode 100644 etc/conf.d/1.1_install_updates.cfg delete mode 100644 etc/conf.d/10.1.1_set_password_exp_days.cfg delete mode 100644 etc/conf.d/10.1.2_set_password_min_days_change.cfg delete mode 100644 etc/conf.d/10.1.3_set_password_exp_warning_days.cfg delete mode 100644 etc/conf.d/10.2_disable_system_accounts.cfg delete mode 100644 etc/conf.d/10.3_default_root_group.cfg delete mode 100644 etc/conf.d/10.4_default_umask.cfg delete mode 100644 etc/conf.d/10.5_lock_inactive_user_account.cfg delete mode 100644 etc/conf.d/11.1_warning_banners.cfg delete mode 100644 etc/conf.d/11.2_remove_os_info_warning_banners.cfg delete mode 100644 etc/conf.d/11.3_graphical_warning_banners.cfg delete mode 100644 etc/conf.d/12.10_find_suid_files.cfg delete mode 100644 etc/conf.d/12.11_find_sgid_files.cfg delete mode 100644 etc/conf.d/12.1_etc_passwd_permissions.cfg delete mode 100644 etc/conf.d/12.2_etc_shadow_permissions.cfg delete mode 100644 etc/conf.d/12.3_etc_group_permissions.cfg delete mode 100644 etc/conf.d/12.4_etc_passwd_ownership.cfg delete mode 100644 etc/conf.d/12.5_etc_shadow_ownership.cfg delete mode 100644 etc/conf.d/12.6_etc_group_ownership.cfg delete mode 100644 etc/conf.d/12.7_find_world_writable_file.cfg delete mode 100644 etc/conf.d/12.8_find_unowned_files.cfg delete mode 100644 etc/conf.d/12.9_find_ungrouped_files.cfg delete mode 100644 etc/conf.d/13.10_find_user_rhosts_files.cfg delete mode 100644 etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg delete mode 100644 etc/conf.d/13.12_users_valid_homedir.cfg delete mode 100644 etc/conf.d/13.13_check_user_homedir_ownership.cfg delete mode 100644 etc/conf.d/13.14_check_duplicate_uid.cfg delete mode 100644 etc/conf.d/13.15_check_duplicate_gid.cfg delete mode 100644 etc/conf.d/13.16_check_duplicate_username.cfg delete mode 100644 etc/conf.d/13.17_check_duplicate_groupname.cfg delete mode 100644 etc/conf.d/13.18_find_user_netrc_files.cfg delete mode 100644 etc/conf.d/13.19_find_user_forward_files.cfg delete mode 100644 etc/conf.d/13.1_remove_empty_password_field.cfg delete mode 100644 etc/conf.d/13.20_shadow_group_empty.cfg delete mode 100644 etc/conf.d/13.2_remove_legacy_passwd_entries.cfg delete mode 100644 etc/conf.d/13.3_remove_legacy_shadow_entries.cfg delete mode 100644 etc/conf.d/13.4_remove_legacy_group_entries.cfg delete mode 100644 etc/conf.d/13.5_find_0_uid_non_root_account.cfg delete mode 100644 etc/conf.d/13.6_sanitize_root_path.cfg delete mode 100644 etc/conf.d/13.7_check_user_dir_perm.cfg delete mode 100644 etc/conf.d/13.8_check_user_dot_file_perm.cfg delete mode 100644 etc/conf.d/13.9_set_perm_on_user_netrc.cfg delete mode 100644 etc/conf.d/2.10_home_nodev.cfg delete mode 100644 etc/conf.d/2.11_removable_device_nodev.cfg delete mode 100644 etc/conf.d/2.12_removable_device_noexec.cfg delete mode 100644 etc/conf.d/2.13_removable_device_nosuid.cfg delete mode 100644 etc/conf.d/2.14_run_shm_nodev.cfg delete mode 100644 etc/conf.d/2.15_run_shm_nosuid.cfg delete mode 100644 etc/conf.d/2.16_run_shm_noexec.cfg delete mode 100644 etc/conf.d/2.17_sticky_bit_world_writable_folder.cfg delete mode 100644 etc/conf.d/2.18_disable_cramfs.cfg delete mode 100644 etc/conf.d/2.19_disable_freevxfs.cfg delete mode 100644 etc/conf.d/2.1_tmp_partition.cfg delete mode 100644 etc/conf.d/2.20_disable_jffs2.cfg delete mode 100644 etc/conf.d/2.21_disable_hfs.cfg delete mode 100644 etc/conf.d/2.22_disable_hfsplus.cfg delete mode 100644 etc/conf.d/2.23_disable_squashfs.cfg delete mode 100644 etc/conf.d/2.24_disable_udf.cfg delete mode 100644 etc/conf.d/2.25_disable_automounting.cfg delete mode 100644 etc/conf.d/2.2_tmp_nodev.cfg delete mode 100644 etc/conf.d/2.3_tmp_nosuid.cfg delete mode 100644 etc/conf.d/2.4_tmp_noexec.cfg delete mode 100644 etc/conf.d/2.5_var_partition.cfg delete mode 100644 etc/conf.d/2.6.1_var_tmp_partition.cfg delete mode 100644 etc/conf.d/2.6.2_var_tmp_nodev.cfg delete mode 100644 etc/conf.d/2.6.3_var_tmp_nosuid.cfg delete mode 100644 etc/conf.d/2.6.4_var_tmp_noexec.cfg delete mode 100644 etc/conf.d/2.7_var_log_partition.cfg delete mode 100644 etc/conf.d/2.8_var_log_audit_partition.cfg delete mode 100644 etc/conf.d/2.9_home_partition.cfg delete mode 100644 etc/conf.d/3.1_bootloader_ownership.cfg delete mode 100644 etc/conf.d/3.2_bootloader_permissions.cfg delete mode 100644 etc/conf.d/3.3_bootloader_password.cfg delete mode 100644 etc/conf.d/3.4_root_password.cfg delete mode 100644 etc/conf.d/4.1_restrict_core_dumps.cfg delete mode 100644 etc/conf.d/4.2_enable_nx_support.cfg delete mode 100644 etc/conf.d/4.3_enable_randomized_vm_placement.cfg delete mode 100644 etc/conf.d/4.4_disable_prelink.cfg delete mode 100644 etc/conf.d/4.5_enable_apparmor.cfg delete mode 100644 etc/conf.d/5.1.1_disable_nis.cfg delete mode 100644 etc/conf.d/5.1.2_disable_rsh.cfg delete mode 100644 etc/conf.d/5.1.3_disable_rsh_client.cfg delete mode 100644 etc/conf.d/5.1.4_disable_talk.cfg delete mode 100644 etc/conf.d/5.1.5_disable_talk_client.cfg delete mode 100644 etc/conf.d/5.1.6_disable_telnet_server.cfg delete mode 100644 etc/conf.d/5.1.7_disable_tftp_server.cfg delete mode 100644 etc/conf.d/5.1.8_disable_inetd.cfg delete mode 100644 etc/conf.d/5.2_disable_chargen.cfg delete mode 100644 etc/conf.d/5.3_disable_daytime.cfg delete mode 100644 etc/conf.d/5.4_disable_echo.cfg delete mode 100644 etc/conf.d/5.5_disable_discard.cfg delete mode 100644 etc/conf.d/5.6_disable_time.cfg delete mode 100644 etc/conf.d/6.10_disable_http_server.cfg delete mode 100644 etc/conf.d/6.11_disable_imap_pop.cfg delete mode 100644 etc/conf.d/6.12_disable_samba.cfg delete mode 100644 etc/conf.d/6.13_disable_http_proxy.cfg delete mode 100644 etc/conf.d/6.14_disable_snmp_server.cfg delete mode 100644 etc/conf.d/6.15_mta_localhost.cfg delete mode 100644 etc/conf.d/6.16_disable_rsync.cfg delete mode 100644 etc/conf.d/6.1_disable_xwindow_system.cfg delete mode 100644 etc/conf.d/6.2_disable_avahi_server.cfg delete mode 100644 etc/conf.d/6.3_disable_print_server.cfg delete mode 100644 etc/conf.d/6.4_disable_dhcp.cfg delete mode 100644 etc/conf.d/6.5_configure_ntp.cfg delete mode 100644 etc/conf.d/6.6_disable_ldap.cfg delete mode 100644 etc/conf.d/6.7_disable_nfs_rpc.cfg delete mode 100644 etc/conf.d/6.8_disable_dns_server.cfg delete mode 100644 etc/conf.d/6.9_disable_ftp.cfg delete mode 100644 etc/conf.d/7.1.1_disable_ip_forwarding.cfg delete mode 100644 etc/conf.d/7.1.2_disable_send_packet_redirects.cfg delete mode 100644 etc/conf.d/7.2.1_disable_source_routed_packets.cfg delete mode 100644 etc/conf.d/7.2.2_disable_icmp_redirect.cfg delete mode 100644 etc/conf.d/7.2.3_disable_secure_icmp_redirect.cfg delete mode 100644 etc/conf.d/7.2.4_log_martian_packets.cfg delete mode 100644 etc/conf.d/7.2.5_ignore_broadcast_requests.cfg delete mode 100644 etc/conf.d/7.2.6_enable_bad_error_message_protection.cfg delete mode 100644 etc/conf.d/7.2.7_enable_source_route_validation.cfg delete mode 100644 etc/conf.d/7.2.8_enable_tcp_syn_cookies.cfg delete mode 100644 etc/conf.d/7.3.1_disable_ipv6_router_advertisement.cfg delete mode 100644 etc/conf.d/7.3.2_disable_ipv6_redirect.cfg delete mode 100644 etc/conf.d/7.3.3_disable_ipv6.cfg delete mode 100644 etc/conf.d/7.4.1_install_tcp_wrapper.cfg delete mode 100644 etc/conf.d/7.4.2_hosts_allow.cfg delete mode 100644 etc/conf.d/7.4.3_hosts_allow_permissions.cfg delete mode 100644 etc/conf.d/7.4.4_hosts_deny.cfg delete mode 100644 etc/conf.d/7.4.5_hosts_deny_permissions.cfg delete mode 100644 etc/conf.d/7.5.1_disable_dccp.cfg delete mode 100644 etc/conf.d/7.5.2_disable_sctp.cfg delete mode 100644 etc/conf.d/7.5.3_disable_rds.cfg delete mode 100644 etc/conf.d/7.5.4_disable_tipc.cfg delete mode 100644 etc/conf.d/7.6_disable_wireless.cfg delete mode 100644 etc/conf.d/7.7_enable_firewall.cfg delete mode 100644 etc/conf.d/8.0_enable_auditd_kernel.cfg delete mode 100644 etc/conf.d/8.1.1.1_audit_log_storage.cfg delete mode 100644 etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg delete mode 100644 etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg delete mode 100644 etc/conf.d/8.1.10_record_dac_edit.cfg delete mode 100644 etc/conf.d/8.1.11_record_failed_access_file.cfg delete mode 100644 etc/conf.d/8.1.12_record_privileged_commands.cfg delete mode 100644 etc/conf.d/8.1.13_record_successful_mount.cfg delete mode 100644 etc/conf.d/8.1.14_record_file_deletions.cfg delete mode 100644 etc/conf.d/8.1.15_record_sudoers_edit.cfg delete mode 100644 etc/conf.d/8.1.16_record_sudo_usage.cfg delete mode 100644 etc/conf.d/8.1.17_record_kernel_modules.cfg delete mode 100644 etc/conf.d/8.1.18_freeze_auditd_conf.cfg delete mode 100644 etc/conf.d/8.1.2_enable_auditd.cfg delete mode 100644 etc/conf.d/8.1.3_audit_bootloader.cfg delete mode 100644 etc/conf.d/8.1.4_record_date_time_edit.cfg delete mode 100644 etc/conf.d/8.1.5_record_user_group_edit.cfg delete mode 100644 etc/conf.d/8.1.6_record_network_edit.cfg delete mode 100644 etc/conf.d/8.1.7_record_mac_edit.cfg delete mode 100644 etc/conf.d/8.1.8_record_login_logout.cfg delete mode 100644 etc/conf.d/8.1.9_record_session_init.cfg delete mode 100644 etc/conf.d/8.2.1_install_syslog-ng.cfg delete mode 100644 etc/conf.d/8.2.2_enable_syslog-ng.cfg delete mode 100644 etc/conf.d/8.2.3_configure_syslog-ng.cfg delete mode 100644 etc/conf.d/8.2.4_set_logfile_perm.cfg delete mode 100644 etc/conf.d/8.2.5_syslog-ng_remote_host.cfg delete mode 100644 etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg delete mode 100644 etc/conf.d/8.3.1_install_tripwire.cfg delete mode 100644 etc/conf.d/8.3.2_tripwire_cron.cfg delete mode 100644 etc/conf.d/8.4_configure_logrotate.cfg delete mode 100644 etc/conf.d/9.1.1_enable_cron.cfg delete mode 100644 etc/conf.d/9.1.2_crontab_perm_ownership.cfg delete mode 100644 etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg delete mode 100644 etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg delete mode 100644 etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg delete mode 100644 etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg delete mode 100644 etc/conf.d/9.1.7_cron_d_perm_ownership.cfg delete mode 100644 etc/conf.d/9.1.8_cron_users.cfg delete mode 100644 etc/conf.d/9.2.1_enable_cracklib.cfg delete mode 100644 etc/conf.d/9.2.2_enable_lockout_failed_password.cfg delete mode 100644 etc/conf.d/9.2.3_limit_password_reuse.cfg delete mode 100644 etc/conf.d/9.3.10_disable_sshd_setenv.cfg delete mode 100644 etc/conf.d/9.3.11_sshd_ciphers.cfg delete mode 100644 etc/conf.d/9.3.12_sshd_idle_timeout.cfg delete mode 100644 etc/conf.d/9.3.13_sshd_limit_access.cfg delete mode 100644 etc/conf.d/9.3.14_ssh_banner.cfg delete mode 100644 etc/conf.d/9.3.1_sshd_protocol.cfg delete mode 100644 etc/conf.d/9.3.2_sshd_loglevel.cfg delete mode 100644 etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg delete mode 100644 etc/conf.d/9.3.4_disable_x11_forwarding.cfg delete mode 100644 etc/conf.d/9.3.5_sshd_maxauthtries.cfg delete mode 100644 etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg delete mode 100644 etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg delete mode 100644 etc/conf.d/9.3.8_disable_root_login.cfg delete mode 100644 etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg delete mode 100644 etc/conf.d/9.4_secure_tty.cfg delete mode 100644 etc/conf.d/9.5_restrict_su.cfg delete mode 100644 etc/conf.d/99.1_timeout_tty.cfg delete mode 100644 etc/conf.d/99.2_disable_usb_devices.cfg diff --git a/AUTHORS b/AUTHORS index 0934611..e46d827 100644 --- a/AUTHORS +++ b/AUTHORS @@ -2,6 +2,7 @@ Contributors of this project : Developers : Thibault Dewailly, OVH + Stéphane Lesimple, OVH Debian package maintainers : Kevin Tanguy, OVH diff --git a/bin/hardening.sh b/bin/hardening.sh index 573fe26..d6291a0 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -20,11 +20,13 @@ AUDIT=0 APPLY=0 AUDIT_ALL=0 AUDIT_ALL_ENABLE_PASSED=0 +ALLOW_SERVICE_LIST=0 +SET_HARDENING_LEVEL=0 CIS_ROOT_DIR='' usage() { cat << EOF -$LONG_SCRIPT_NAME RUN_MODE, where RUN_MODE is one of: +$LONG_SCRIPT_NAME [OPTIONS], where RUN_MODE is one of: --help -h Show this help @@ -53,6 +55,35 @@ $LONG_SCRIPT_NAME RUN_MODE, where RUN_MODE is one of: Don't run this if you have already customized the scripts enable/disable configurations, obviously. + --set-hardening-level + Modifies the configuration to enable/disable tests given an hardening level, + between 1 to 5. Don't run this if you have already customized the scripts + enable/disable configurations. + 1: very basic policy, failure to pass tests at this level indicates severe + misconfiguration of the machine that can have a huge security impact + 2: basic policy, some good practice rules that, once applied, shouldn't + break anything on most systems + 3: best practices policy, passing all tests might need some configuration + modifications (such as specific partitioning, etc.) + 4: high security policy, passing all tests might be time-consuming and + require high adaptation of your workflow + 5: placebo, policy rules that might be very difficult to apply and maintain, + with questionable security benefits + + --allow-service + Use with --set-hardening-level. + Modifies the policy to allow a certain kind of services on the machine, such + as http, mail, etc. Can be specified multiple times to allow multiple services. + Use --allow-service-list to get a list of supported services. + +OPTIONS: + + --only + Modifies the RUN_MODE to only work on the test_number script. + Can be specified multiple times to work only on several scripts. + The test number is the numbered prefix of the script, + i.e. the test number of 1.2_script_name.sh is 1.2. + EOF exit 0 } @@ -61,6 +92,8 @@ if [ $# = 0 ]; then usage fi +declare -a TEST_LIST ALLOWED_SERVICES_LIST + # Arguments parsing while [[ $# > 0 ]]; do ARG="$1" @@ -77,6 +110,21 @@ while [[ $# > 0 ]]; do --apply) APPLY=1 ;; + --allow-service-list) + ALLOW_SERVICE_LIST=1 + ;; + --allow-service) + ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2" + shift + ;; + --set-hardening-level) + SET_HARDENING_LEVEL="$2" + shift + ;; + --only) + TEST_LIST[${#TEST_LIST[@]}]="$2" + shift + ;; -h|--help) usage ;; @@ -104,8 +152,51 @@ fi [ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh [ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh +# If --allow-service-list is specified, don't run anything, just list the supported services +if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then + declare -a HARDENING_EXCEPTIONS_LIST + for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do + template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2) + [ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template" + done + echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ") + exit 0 +fi + +# If --set-hardening-level is specified, don't run anything, just apply config for each script +if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then + if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then + echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5" + exit 1 + fi + + for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do + SCRIPT_BASENAME=$(basename $SCRIPT .sh) + script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2) + if [ -z "$script_level" ] ; then + echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it" + continue + fi + wantedstatus=disabled + [ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled + sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg + done + echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL" + exit 0 +fi + # Parse every scripts and execute them in the required mode for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do + if [ ${#TEST_LIST[@]} -gt 0 ] ; then + # --only X has been specified at least once, is this script in my list ? + SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)") + SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX") + if ! grep -qEw "$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then + # not in the list + continue + fi + fi + info "Treating $SCRIPT" if [ $AUDIT = 1 ]; then diff --git a/bin/hardening/1.1_install_updates.sh b/bin/hardening/1.1_install_updates.sh index 1f8dad9..657dc79 100755 --- a/bin/hardening/1.1_install_updates.sh +++ b/bin/hardening/1.1_install_updates.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=3 + # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if apt needs an update" diff --git a/bin/hardening/10.1.1_set_password_exp_days.sh b/bin/hardening/10.1.1_set_password_exp_days.sh index a1e4d60..ce7dcbc 100755 --- a/bin/hardening/10.1.1_set_password_exp_days.sh +++ b/bin/hardening/10.1.1_set_password_exp_days.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=3 + PACKAGE='login' OPTIONS='PASS_MAX_DAYS=90' FILE='/etc/login.defs' diff --git a/bin/hardening/10.1.2_set_password_min_days_change.sh b/bin/hardening/10.1.2_set_password_min_days_change.sh index 48e9190..a4eef31 100755 --- a/bin/hardening/10.1.2_set_password_min_days_change.sh +++ b/bin/hardening/10.1.2_set_password_min_days_change.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=3 + PACKAGE='login' OPTIONS='PASS_MIN_DAYS=7' FILE='/etc/login.defs' diff --git a/bin/hardening/10.1.3_set_password_exp_warning_days.sh b/bin/hardening/10.1.3_set_password_exp_warning_days.sh index 6a45639..3ff35c1 100755 --- a/bin/hardening/10.1.3_set_password_exp_warning_days.sh +++ b/bin/hardening/10.1.3_set_password_exp_warning_days.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=3 + PACKAGE='login' OPTIONS='PASS_WARN_AGE=7' FILE='/etc/login.defs' diff --git a/bin/hardening/10.2_disable_system_accounts.sh b/bin/hardening/10.2_disable_system_accounts.sh index 6b6667e..0dcb6a9 100755 --- a/bin/hardening/10.2_disable_system_accounts.sh +++ b/bin/hardening/10.2_disable_system_accounts.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=3 + SHELL='/bin/false' FILE='/etc/passwd' RESULT='' @@ -70,6 +72,15 @@ apply () { fi } +# This function will create the config file for this check with default values +create_config() { + cat <=1000 -F auid!=4294967295 \ diff --git a/bin/hardening/8.1.13_record_successful_mount.sh b/bin/hardening/8.1.13_record_successful_mount.sh index c3e4ff7..8f5826a 100755 --- a/bin/hardening/8.1.13_record_successful_mount.sh +++ b/bin/hardening/8.1.13_record_successful_mount.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=4 + AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' FILE='/etc/audit/audit.rules' diff --git a/bin/hardening/8.1.14_record_file_deletions.sh b/bin/hardening/8.1.14_record_file_deletions.sh index 1488d99..6b5c476 100755 --- a/bin/hardening/8.1.14_record_file_deletions.sh +++ b/bin/hardening/8.1.14_record_file_deletions.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=4 + AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' FILE='/etc/audit/audit.rules' diff --git a/bin/hardening/8.1.15_record_sudoers_edit.sh b/bin/hardening/8.1.15_record_sudoers_edit.sh index f8740b3..64c1cb5 100755 --- a/bin/hardening/8.1.15_record_sudoers_edit.sh +++ b/bin/hardening/8.1.15_record_sudoers_edit.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=4 + AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers -w /etc/sudoers.d/ -p wa -k sudoers' FILE='/etc/audit/audit.rules' diff --git a/bin/hardening/8.1.16_record_sudo_usage.sh b/bin/hardening/8.1.16_record_sudo_usage.sh index c164727..b0e8a74 100755 --- a/bin/hardening/8.1.16_record_sudo_usage.sh +++ b/bin/hardening/8.1.16_record_sudo_usage.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=4 + AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction' FILE='/etc/audit/audit.rules' diff --git a/bin/hardening/8.1.17_record_kernel_modules.sh b/bin/hardening/8.1.17_record_kernel_modules.sh index 2904209..f4500c3 100755 --- a/bin/hardening/8.1.17_record_kernel_modules.sh +++ b/bin/hardening/8.1.17_record_kernel_modules.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=4 + AUDIT_PARAMS='-w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules diff --git a/bin/hardening/8.1.18_freeze_auditd_conf.sh b/bin/hardening/8.1.18_freeze_auditd_conf.sh index 0a3df10..4fa408e 100755 --- a/bin/hardening/8.1.18_freeze_auditd_conf.sh +++ b/bin/hardening/8.1.18_freeze_auditd_conf.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=4 + AUDIT_PARAMS='-e 2' FILE='/etc/audit/audit.rules' diff --git a/bin/hardening/8.1.2_enable_auditd.sh b/bin/hardening/8.1.2_enable_auditd.sh index 1c01bf9..50926b7 100755 --- a/bin/hardening/8.1.2_enable_auditd.sh +++ b/bin/hardening/8.1.2_enable_auditd.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=4 + PACKAGE='auditd' SERVICE_NAME='auditd' diff --git a/bin/hardening/8.1.3_audit_bootloader.sh b/bin/hardening/8.1.3_audit_bootloader.sh index b5a7518..d1ef1e9 100755 --- a/bin/hardening/8.1.3_audit_bootloader.sh +++ b/bin/hardening/8.1.3_audit_bootloader.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=4 + FILE='/etc/default/grub' OPTIONS='GRUB_CMDLINE_LINUX="audit=1"' diff --git a/bin/hardening/8.1.4_record_date_time_edit.sh b/bin/hardening/8.1.4_record_date_time_edit.sh index e5d62f9..113777f 100755 --- a/bin/hardening/8.1.4_record_date_time_edit.sh +++ b/bin/hardening/8.1.4_record_date_time_edit.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=4 + AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change diff --git a/bin/hardening/8.1.5_record_user_group_edit.sh b/bin/hardening/8.1.5_record_user_group_edit.sh index ffbfea5..46d6adf 100755 --- a/bin/hardening/8.1.5_record_user_group_edit.sh +++ b/bin/hardening/8.1.5_record_user_group_edit.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=4 + AUDIT_PARAMS='-w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity diff --git a/bin/hardening/8.1.6_record_network_edit.sh b/bin/hardening/8.1.6_record_network_edit.sh index e8d8a1d..0d3583e 100755 --- a/bin/hardening/8.1.6_record_network_edit.sh +++ b/bin/hardening/8.1.6_record_network_edit.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=4 + AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale diff --git a/bin/hardening/8.1.7_record_mac_edit.sh b/bin/hardening/8.1.7_record_mac_edit.sh index 9c194f5..4fa59a4 100755 --- a/bin/hardening/8.1.7_record_mac_edit.sh +++ b/bin/hardening/8.1.7_record_mac_edit.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=4 + AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy' FILE='/etc/audit/audit.rules' diff --git a/bin/hardening/8.1.8_record_login_logout.sh b/bin/hardening/8.1.8_record_login_logout.sh index 95dea18..70572f4 100755 --- a/bin/hardening/8.1.8_record_login_logout.sh +++ b/bin/hardening/8.1.8_record_login_logout.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=4 + AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins' diff --git a/bin/hardening/8.1.9_record_session_init.sh b/bin/hardening/8.1.9_record_session_init.sh index 8fa6a01..e3774d1 100755 --- a/bin/hardening/8.1.9_record_session_init.sh +++ b/bin/hardening/8.1.9_record_session_init.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=4 + AUDIT_PARAMS='-w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session' diff --git a/bin/hardening/8.2.1_install_syslog-ng.sh b/bin/hardening/8.2.1_install_syslog-ng.sh index 53a4438..03b41a9 100755 --- a/bin/hardening/8.2.1_install_syslog-ng.sh +++ b/bin/hardening/8.2.1_install_syslog-ng.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=3 + # NB : in CIS, rsyslog has been chosen, however we chose syslog-ng PACKAGE='syslog-ng' diff --git a/bin/hardening/8.2.2_enable_syslog-ng.sh b/bin/hardening/8.2.2_enable_syslog-ng.sh index b59170c..930eefa 100755 --- a/bin/hardening/8.2.2_enable_syslog-ng.sh +++ b/bin/hardening/8.2.2_enable_syslog-ng.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=3 + SERVICE_NAME="syslog-ng" # This function will be called if the script status is on enabled / audit mode diff --git a/bin/hardening/8.2.3_configure_syslog-ng.sh b/bin/hardening/8.2.3_configure_syslog-ng.sh index f57561f..d7ebffa 100755 --- a/bin/hardening/8.2.3_configure_syslog-ng.sh +++ b/bin/hardening/8.2.3_configure_syslog-ng.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=3 + SERVICE_NAME="syslog-ng" # This function will be called if the script status is on enabled / audit mode diff --git a/bin/hardening/8.2.4_set_logfile_perm.sh b/bin/hardening/8.2.4_set_logfile_perm.sh index 58453d1..8796eba 100755 --- a/bin/hardening/8.2.4_set_logfile_perm.sh +++ b/bin/hardening/8.2.4_set_logfile_perm.sh @@ -11,6 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +HARDENING_LEVEL=3 + PERMISSIONS='640' USER='root' GROUP='adm' @@ -64,6 +66,14 @@ apply () { done } +# This function will create the config file for this check with default values +create_config() { + cat < 0 ]]; do ARG="$1" case $ARG in --audit-all) debug "Audit all specified, setting status to audit regardless of configuration" - status=audit + forcedstatus=auditall ;; --audit) - if [ $status != 'disabled' -a $status != 'false' ]; then + if [ "$status" != 'disabled' -a "$status" != 'false' ]; then debug "Audit argument detected, setting status to audit" - status=audit + forcedstatus=audit else info "Audit argument passed but script is disabled" fi @@ -45,6 +38,39 @@ while [[ $# > 0 ]]; do shift done +# Source specific configuration file +if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then + # If it doesn't exist, create it with default values + echo "# Configuration for $SCRIPT_NAME, created from default values on `date`" > $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg + # If create_config is a defined function, execute it. + # Otherwise, just disable the test by default. + if type -t create_config | grep -qw function ; then + create_config >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg + else + echo "status=disabled" >> $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg + fi +fi +[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg + +# Now check configured value for status, and potential cmdline parameter +if [ "$forcedstatus" = "auditall" ] ; then + # We want to audit even disabled script, so override config value in any case + status=audit +elif [ "$forcedstatus" = "audit" ] ; then + # We want to audit only enabled scripts + if [ "$status" != 'disabled' -a "$status" != 'false' ]; then + debug "Audit argument detected, setting status to audit" + status=audit + else + info "Audit argument passed but script is disabled" + fi +fi + +if [ -z $status ]; then + crit "Could not find status variable for $SCRIPT_NAME, considered as disabled" + exit 2 +fi + case $status in enabled | true ) info "Checking Configuration" diff --git a/lib/utils.sh b/lib/utils.sh index 579b961..71278aa 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -204,9 +204,17 @@ is_service_enabled() { # is_kernel_option_enabled() { - local KERNEL_OPTION=$1 - RESULT=$(zgrep -i $KERNEL_OPTION /proc/config.gz | grep -vE "^#") || : - ANSWER=$(cut -d = -f 2 <<< $RESULT) + local KERNEL_OPTION="$1" + local MODULE_NAME="" + if [ $# -ge 2 ] ; then + MODULE_NAME="$2" + fi + if [ -r "/proc/config.gz" ] ; then + RESULT=$(zgrep "^$KERNEL_OPTION=" /proc/config.gz) || : + elif [ -r "/boot/config-$(uname -r)" ] ; then + RESULT=$(grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || : + fi + ANSWER=$(cut -d = -f 2 <<< "$RESULT") if [ "x$ANSWER" = "xy" ]; then debug "Kernel option $KERNEL_OPTION enabled" FNRET=0 @@ -217,6 +225,25 @@ is_kernel_option_enabled() { debug "Kernel option $KERNEL_OPTION not found" FNRET=2 # Not found fi + + if [ "$FNRET" -ne 0 -a -n "$MODULE_NAME" -a -d "/lib/modules/$(uname -r)" ] ; then + # also check in modules, because even if not =y, maybe + # the admin compiled it separately later (or out-of-tree) + # as a module (regardless of the fact that we have =m or not) + debug "Checking if we have $MODULE_NAME.ko" + local modulefile=$(find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko") + if [ -n "$modulefile" ] ; then + debug "We do have $modulefile!" + # ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz" + if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/ ; then + debug "... but it's blacklisted!" + FNRET=1 # Not found (found but blacklisted) + # FIXME: even if blacklisted, it might be present in the initrd and + # be insmod from there... but painful to check :/ maybe lsmod would be enough ? + fi + FNRET=0 # Found! + fi + fi } #