mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 13:37:02 +01:00
Merge pull request #12 from speed47/dev/enhancements
Hardening Classification subs enhancements as well as bug fixes
This commit is contained in:
Thibault Dewailly
GitHub
commit
3b7a2b8216
1
AUTHORS
1
AUTHORS
@ -2,6 +2,7 @@ Contributors of this project :
|
||||
|
||||
Developers :
|
||||
Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com>
|
||||
|
||||
Debian package maintainers :
|
||||
Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com>
|
||||
|
||||
@ -20,11 +20,13 @@ AUDIT=0
|
||||
APPLY=0
|
||||
AUDIT_ALL=0
|
||||
AUDIT_ALL_ENABLE_PASSED=0
|
||||
ALLOW_SERVICE_LIST=0
|
||||
SET_HARDENING_LEVEL=0
|
||||
CIS_ROOT_DIR=''
|
||||
|
||||
usage() {
|
||||
cat << EOF
|
||||
$LONG_SCRIPT_NAME RUN_MODE, where RUN_MODE is one of:
|
||||
$LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
|
||||
|
||||
--help -h
|
||||
Show this help
|
||||
@ -53,6 +55,35 @@ $LONG_SCRIPT_NAME RUN_MODE, where RUN_MODE is one of:
|
||||
Don't run this if you have already customized the scripts enable/disable
|
||||
configurations, obviously.
|
||||
|
||||
--set-hardening-level <level>
|
||||
Modifies the configuration to enable/disable tests given an hardening level,
|
||||
between 1 to 5. Don't run this if you have already customized the scripts
|
||||
enable/disable configurations.
|
||||
1: very basic policy, failure to pass tests at this level indicates severe
|
||||
misconfiguration of the machine that can have a huge security impact
|
||||
2: basic policy, some good practice rules that, once applied, shouldn't
|
||||
break anything on most systems
|
||||
3: best practices policy, passing all tests might need some configuration
|
||||
modifications (such as specific partitioning, etc.)
|
||||
4: high security policy, passing all tests might be time-consuming and
|
||||
require high adaptation of your workflow
|
||||
5: placebo, policy rules that might be very difficult to apply and maintain,
|
||||
with questionable security benefits
|
||||
|
||||
--allow-service <service>
|
||||
Use with --set-hardening-level.
|
||||
Modifies the policy to allow a certain kind of services on the machine, such
|
||||
as http, mail, etc. Can be specified multiple times to allow multiple services.
|
||||
Use --allow-service-list to get a list of supported services.
|
||||
|
||||
OPTIONS:
|
||||
|
||||
--only <test_number>
|
||||
Modifies the RUN_MODE to only work on the test_number script.
|
||||
Can be specified multiple times to work only on several scripts.
|
||||
The test number is the numbered prefix of the script,
|
||||
i.e. the test number of 1.2_script_name.sh is 1.2.
|
||||
|
||||
EOF
|
||||
exit 0
|
||||
}
|
||||
@ -61,6 +92,8 @@ if [ $# = 0 ]; then
|
||||
usage
|
||||
fi
|
||||
|
||||
declare -a TEST_LIST ALLOWED_SERVICES_LIST
|
||||
|
||||
# Arguments parsing
|
||||
while [[ $# > 0 ]]; do
|
||||
ARG="$1"
|
||||
@ -77,6 +110,21 @@ while [[ $# > 0 ]]; do
|
||||
--apply)
|
||||
APPLY=1
|
||||
;;
|
||||
--allow-service-list)
|
||||
ALLOW_SERVICE_LIST=1
|
||||
;;
|
||||
--allow-service)
|
||||
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
|
||||
shift
|
||||
;;
|
||||
--set-hardening-level)
|
||||
SET_HARDENING_LEVEL="$2"
|
||||
shift
|
||||
;;
|
||||
--only)
|
||||
TEST_LIST[${#TEST_LIST[@]}]="$2"
|
||||
shift
|
||||
;;
|
||||
-h|--help)
|
||||
usage
|
||||
;;
|
||||
@ -104,8 +152,51 @@ fi
|
||||
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
||||
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
|
||||
|
||||
# If --allow-service-list is specified, don't run anything, just list the supported services
|
||||
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
|
||||
declare -a HARDENING_EXCEPTIONS_LIST
|
||||
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
|
||||
[ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
|
||||
done
|
||||
echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# If --set-hardening-level is specified, don't run anything, just apply config for each script
|
||||
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
|
||||
if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then
|
||||
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
|
||||
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
|
||||
if [ -z "$script_level" ] ; then
|
||||
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
|
||||
continue
|
||||
fi
|
||||
wantedstatus=disabled
|
||||
[ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
|
||||
sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
|
||||
done
|
||||
echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Parse every scripts and execute them in the required mode
|
||||
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
|
||||
if [ ${#TEST_LIST[@]} -gt 0 ] ; then
|
||||
# --only X has been specified at least once, is this script in my list ?
|
||||
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
|
||||
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
|
||||
if ! grep -qEw "$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
|
||||
# not in the list
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
|
||||
info "Treating $SCRIPT"
|
||||
|
||||
if [ $AUDIT = 1 ]; then
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if apt needs an update"
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
PACKAGE='login'
|
||||
OPTIONS='PASS_MAX_DAYS=90'
|
||||
FILE='/etc/login.defs'
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
PACKAGE='login'
|
||||
OPTIONS='PASS_MIN_DAYS=7'
|
||||
FILE='/etc/login.defs'
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
PACKAGE='login'
|
||||
OPTIONS='PASS_WARN_AGE=7'
|
||||
FILE='/etc/login.defs'
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
SHELL='/bin/false'
|
||||
FILE='/etc/passwd'
|
||||
RESULT=''
|
||||
@ -70,6 +72,15 @@ apply () {
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will create the config file for this check with default values
|
||||
create_config() {
|
||||
cat <<EOF
|
||||
status=disabled
|
||||
# Put here your exceptions concerning admin accounts shells separated by spaces
|
||||
EXCEPTIONS=""
|
||||
EOF
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ -z "$EXCEPTIONS" ]; then
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
USER='root'
|
||||
EXPECTED_GID='0'
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
USER='root'
|
||||
PATTERN='umask 077'
|
||||
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile'
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
PERMISSIONS='644'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
FILES='/etc/motd /etc/issue /etc/issue.net'
|
||||
PATTERN='(\\v|\\r|\\m|\\s)'
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Not implemented yet"
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if there are suid files"
|
||||
@ -35,6 +37,15 @@ apply () {
|
||||
info "Removing suid on valid binary may seriously harm your system, report only here"
|
||||
}
|
||||
|
||||
# This function will create the config file for this check with default values
|
||||
create_config() {
|
||||
cat <<EOF
|
||||
status=disabled
|
||||
# Put Here your valid suid binaries so that they do not appear during the audit
|
||||
EXCEPTIONS="/bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/fping /usr/bin/fping6 /usr/bin/gpasswd /usr/bin/mtr /usr/bin/newgrp /usr/bin/passwd /usr/bin/sudo /usr/bin/sudoedit /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/bin/at"
|
||||
EOF
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
# No param for this function
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if there are sgid files"
|
||||
@ -35,6 +37,15 @@ apply () {
|
||||
info "Removing sgid on valid binary may seriously harm your system, report only here"
|
||||
}
|
||||
|
||||
# This function will create the config file for this check with default values
|
||||
create_config() {
|
||||
cat <<EOF
|
||||
status=disabled
|
||||
# Put here valid binaries with sgid enabled separated by spaces
|
||||
EXCEPTIONS="/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue /usr/bin/at /usr/bin/dotlockfile /usr/bin/mail-lock /usr/bin/mail-touchlock /usr/bin/mail-unlock"
|
||||
EOF
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ -z "$EXCEPTIONS" ]; then
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
|
||||
FILE='/etc/passwd'
|
||||
PERMISSIONS='644'
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
|
||||
FILE='/etc/shadow'
|
||||
PERMISSIONS='640'
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
|
||||
FILE='/etc/group'
|
||||
PERMISSIONS='644'
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
|
||||
FILE='/etc/passwd'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
|
||||
FILE='/etc/shadow'
|
||||
USER='root'
|
||||
GROUP='shadow'
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
|
||||
FILE='/etc/group'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if there are world writable files"
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
USER='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
ERRORS=0
|
||||
FILENAME=".rhosts"
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
ERRORS=0
|
||||
FILENAME='.netrc'
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
ERRORS=0
|
||||
FILENAME='.forward'
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
|
||||
FILE='/etc/shadow'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
|
||||
ERRORS=0
|
||||
FILEGROUP='/etc/group'
|
||||
PATTERN='^shadow:x:[[:digit:]]+:'
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
|
||||
FILE='/etc/passwd'
|
||||
RESULT=''
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
|
||||
FILE='/etc/shadow'
|
||||
RESULT=''
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
|
||||
FILE='/etc/group'
|
||||
RESULT=''
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
FILE='/etc/passwd'
|
||||
RESULT=''
|
||||
|
||||
@ -33,7 +35,7 @@ audit () {
|
||||
crit "Some accounts have uid 0"
|
||||
crit $RESULT
|
||||
else
|
||||
ok "No account with uid 0 apart root"
|
||||
ok "No account with uid 0 appart from root and potential configured exceptions"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -42,6 +44,15 @@ apply () {
|
||||
info "Removing accounts with uid 0 may seriously harm your system, report only here"
|
||||
}
|
||||
|
||||
# This function will create the config file for this check with default values
|
||||
create_config() {
|
||||
cat <<EOF
|
||||
status=disabled
|
||||
# Put here valid accounts with uid 0 separated by spaces
|
||||
EXCEPTIONS=""
|
||||
EOF
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ -z "$EXCEPTIONS" ]; then
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
@ -86,6 +88,15 @@ apply () {
|
||||
done
|
||||
}
|
||||
|
||||
# This function will create the config file for this check with default values
|
||||
create_config() {
|
||||
cat <<EOF
|
||||
status=disabled
|
||||
# Put here user home directories exceptions, separated by spaces
|
||||
EXCEPTIONS=""
|
||||
EOF
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ -z "$EXCEPTIONS" ]; then
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
PERMISSIONS="600"
|
||||
ERRORS=0
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/home"
|
||||
OPTION="nodev"
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/run/shm"
|
||||
OPTION="nodev"
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/run/shm"
|
||||
OPTION="nosuid"
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/run/shm"
|
||||
OPTION="noexec"
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if setuid is set on world writable Directories"
|
||||
|
||||
@ -11,13 +11,15 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
||||
KERNEL_OPTION="cramfs"
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
KERNEL_OPTION="CONFIG_CRAMFS"
|
||||
MODULE_NAME="cramfs"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
else
|
||||
|
||||
@ -11,13 +11,15 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
||||
KERNEL_OPTION="freevxfs"
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
KERNEL_OPTION="CONFIG_VXFS_FS"
|
||||
MODULE_NAME="freevxfs"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
else
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/tmp"
|
||||
|
||||
|
||||
@ -11,13 +11,15 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
||||
KERNEL_OPTION="jffs2"
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
KERNEL_OPTION="CONFIG_JFFS2_FS"
|
||||
MODULE_NAME="jffs2"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
else
|
||||
|
||||
@ -11,13 +11,15 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
||||
KERNEL_OPTION="hfs"
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
KERNEL_OPTION="CONFIG_HFS_FS"
|
||||
MODULE_FILE="hfs"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
else
|
||||
|
||||
@ -11,13 +11,15 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
||||
KERNEL_OPTION="hfsplus"
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
|
||||
MODULE_FILE="hfsplus"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
else
|
||||
|
||||
@ -11,13 +11,15 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
||||
KERNEL_OPTION="squashfs"
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
KERNEL_OPTION="CONFIG_SQUASHFS"
|
||||
MODULE_FILE="squashfs"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
else
|
||||
|
||||
@ -11,13 +11,15 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
|
||||
KERNEL_OPTION="udf"
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
KERNEL_OPTION="CONFIG_UDF_FS"
|
||||
MODULE_FILE="udf"
|
||||
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_kernel_option_enabled $KERNEL_OPTION
|
||||
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
|
||||
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$KERNEL_OPTION is enabled!"
|
||||
else
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
SERVICE_NAME="autofs"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/tmp"
|
||||
OPTION="nodev"
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/tmp"
|
||||
OPTION="nosuid"
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/tmp"
|
||||
OPTION="noexec"
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/var"
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/var/tmp"
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/var/tmp"
|
||||
OPTION="nodev"
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/var/tmp"
|
||||
OPTION="nosuid"
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/var/tmp"
|
||||
OPTION="noexec"
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/var/log"
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/var/log/audit"
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
# Quick factoring as many script use the same logic
|
||||
PARTITION="/home"
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
|
||||
# Assertion : Grub Based.
|
||||
|
||||
FILE='/boot/grub/grub.cfg'
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
|
||||
# Assertion : Grub Based.
|
||||
|
||||
FILE='/boot/grub/grub.cfg'
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
FILE='/boot/grub/grub.cfg'
|
||||
USER_PATTERN="^set superusers"
|
||||
PWD_PATTERN="^password_pbkdf2"
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
FILE="/etc/shadow"
|
||||
PATTERN="^root:[*\!]:"
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
LIMIT_FILE='/etc/security/limits.conf'
|
||||
LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
|
||||
SYSCTL_PARAM='fs.suid_dumpable'
|
||||
|
||||
@ -11,13 +11,34 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
|
||||
|
||||
# Check if the NX bit is supported and noexec=off hasn't been asked
|
||||
nx_supported_and_enabled() {
|
||||
if grep -q ' nx ' /proc/cpuinfo; then
|
||||
# NX supported, but if noexec=off specified, it's not enabled
|
||||
if grep -qi 'noexec=off' /proc/cmdline; then
|
||||
FNRET=1 # supported but disabled
|
||||
else
|
||||
FNRET=0 # supported and enabled
|
||||
fi
|
||||
else
|
||||
FNRET=1 # not supported
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_pattern_exist_in_dmesg $PATTERN
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PATTERN is not present in dmesg"
|
||||
nx_supported_and_enabled
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
|
||||
else
|
||||
ok "NX is supported and enabled"
|
||||
fi
|
||||
else
|
||||
ok "$PATTERN is present in dmesg"
|
||||
fi
|
||||
@ -27,7 +48,12 @@ audit () {
|
||||
apply () {
|
||||
does_pattern_exist_in_dmesg $PATTERN
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PATTERN is not present in dmesg, please go to the bios to activate this option or change for CPU compatible"
|
||||
nx_supported_and_enabled
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
|
||||
else
|
||||
ok "NX is supported and enabled"
|
||||
fi
|
||||
else
|
||||
ok "$PATTERN is present in dmesg"
|
||||
fi
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
SYSCTL_PARAM='kernel.randomize_va_space'
|
||||
SYSCTL_EXP_RESULT=2
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
PACKAGE='prelink'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
PACKAGE='apparmor'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
PACKAGE='nis'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
# Based on aptitude search '~Prsh-server'
|
||||
PACKAGES='rsh-server rsh-redone-server heimdal-servers'
|
||||
FILE='/etc/inetd.conf'
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
# Based on aptitude search '~Prsh-client', exluding ssh-client OFC
|
||||
PACKAGES='rsh-client rsh-redone-client heimdal-clients'
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
PACKAGES='inetutils-talkd talkd'
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^(talk|ntalk)'
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
PACKAGES='talk inetutils-talk'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
# Based on aptitude search '~Ptelnet-server'
|
||||
PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
|
||||
FILE='/etc/inetd.conf'
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
PACKAGES='tftpd tftpd-hpa atftpd'
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^tftp'
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
|
||||
PACKAGES='openbsd-inetd xinetd rlinetd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^chargen'
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^daytime'
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^echo'
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^discard'
|
||||
|
||||
|
||||
@ -11,6 +11,8 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
|
||||
FILE='/etc/inetd.conf'
|
||||
PATTERN='^time'
|
||||
|
||||
|
||||
@ -11,6 +11,9 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
HARDENING_EXCEPTION=http
|
||||
|
||||
# Based on aptitude search '~Phttpd'
|
||||
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
|
||||
|
||||
|
||||
@ -11,6 +11,9 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
HARDENING_EXCEPTION=mail
|
||||
|
||||
# Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server'
|
||||
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
|
||||
|
||||
|
||||
@ -11,6 +11,9 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
HARDENING_EXCEPTION=samba
|
||||
|
||||
PACKAGES='samba'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,9 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
HARDENING_EXCEPTION=http
|
||||
|
||||
PACKAGES='squid3 squid'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,9 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
HARDENING_EXCEPTION=snmp
|
||||
|
||||
PACKAGES='snmpd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
||||
@ -11,6 +11,9 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
HARDENING_EXCEPTION=mail
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking netport ports opened"
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user