mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 21:47:02 +01:00
Merge pull request #27 in IAAS/cis-hardening from dev/thibault.dewailly/fixwildcards to master
* commit 'a4dc5bdaf5ec7f4d1c49533608b279d7101e23cd': No more wildcards in file list to be more resilient
This commit is contained in:
Kevin Tanguy
commit
40e57a5cb2
@ -13,29 +13,73 @@ set -u # One variable unset, it's over
|
|||||||
|
|
||||||
USER='root'
|
USER='root'
|
||||||
PATTERN='umask 077'
|
PATTERN='umask 077'
|
||||||
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile'
|
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile'
|
||||||
FILE='/etc/profile.d/CIS_10.4_umask.sh'
|
FILE='/etc/profile.d/CIS_10.4_umask.sh'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN"
|
SEARCH_RES=0
|
||||||
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
if [ $SEARCH_RES = 1 ]; then break; fi
|
||||||
|
if test -d $FILE_SEARCHED; then
|
||||||
|
debug "$FILE_SEARCHED is a directory"
|
||||||
|
for file_in_dir in $(ls $FILE_SEARCHED); do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
crit "$PATTERN is not present in $FILES_TO_SEARCH"
|
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
SEARCH_RES=1
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED"
|
||||||
else
|
else
|
||||||
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ $SEARCH_RES = 0 ]; then
|
||||||
|
crit "$PATTERN is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply () {
|
||||||
does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN"
|
SEARCH_RES=0
|
||||||
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
if [ $SEARCH_RES = 1 ]; then break; fi
|
||||||
|
if test -d $FILE_SEARCHED; then
|
||||||
|
debug "$FILE_SEARCHED is a directory"
|
||||||
|
for file_in_dir in $(ls $FILE_SEARCHED); do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
SEARCH_RES=1
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ $SEARCH_RES = 0 ]; then
|
||||||
warn "$PATTERN is not present in $FILES_TO_SEARCH"
|
warn "$PATTERN is not present in $FILES_TO_SEARCH"
|
||||||
touch $FILE
|
touch $FILE
|
||||||
chmod 644 $FILE
|
chmod 644 $FILE
|
||||||
add_end_of_file $FILE "$PATTERN"
|
add_end_of_file $FILE "$PATTERN"
|
||||||
else
|
|
||||||
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -14,23 +14,69 @@ set -u # One variable unset, it's over
|
|||||||
USER='root'
|
USER='root'
|
||||||
PATTERN='TMOUT='
|
PATTERN='TMOUT='
|
||||||
VALUE='600'
|
VALUE='600'
|
||||||
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile'
|
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile'
|
||||||
FILE='/etc/profile.d/CIS_99.1_timeout.sh'
|
FILE='/etc/profile.d/CIS_99.1_timeout.sh'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN"
|
SEARCH_RES=0
|
||||||
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
if [ $SEARCH_RES = 1 ]; then break; fi
|
||||||
|
if test -d $FILE_SEARCHED; then
|
||||||
|
debug "$FILE_SEARCHED is a directory"
|
||||||
|
for file_in_dir in $(ls $FILE_SEARCHED); do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
crit "$PATTERN is not present in $FILES_TO_SEARCH"
|
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
SEARCH_RES=1
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED"
|
||||||
else
|
else
|
||||||
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ $SEARCH_RES = 0 ]; then
|
||||||
|
crit "$PATTERN is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply () {
|
||||||
does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN"
|
SEARCH_RES=0
|
||||||
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
if [ $SEARCH_RES = 1 ]; then break; fi
|
||||||
|
if test -d $FILE_SEARCHED; then
|
||||||
|
debug "$FILE_SEARCHED is a directory"
|
||||||
|
for file_in_dir in $(ls $FILE_SEARCHED); do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
SEARCH_RES=1
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ $SEARCH_RES = 0 ]; then
|
||||||
warn "$PATTERN is not present in $FILES_TO_SEARCH"
|
warn "$PATTERN is not present in $FILES_TO_SEARCH"
|
||||||
touch $FILE
|
touch $FILE
|
||||||
chmod 644 $FILE
|
chmod 644 $FILE
|
||||||
|
|||||||
@ -13,23 +13,69 @@ set -u # One variable unset, it's over
|
|||||||
|
|
||||||
USER='root'
|
USER='root'
|
||||||
PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' # We do test disabled by default, whitelist is up to you
|
PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' # We do test disabled by default, whitelist is up to you
|
||||||
FILES_TO_SEARCH='/etc/udev/rules.d/*'
|
FILES_TO_SEARCH='/etc/udev/rules.d'
|
||||||
FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh'
|
FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN"
|
SEARCH_RES=0
|
||||||
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
if [ $SEARCH_RES = 1 ]; then break; fi
|
||||||
|
if test -d $FILE_SEARCHED; then
|
||||||
|
debug "$FILE_SEARCHED is a directory"
|
||||||
|
for file_in_dir in $(ls $FILE_SEARCHED); do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
crit "$PATTERN is not present in $FILES_TO_SEARCH"
|
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
SEARCH_RES=1
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED"
|
||||||
else
|
else
|
||||||
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ $SEARCH_RES = 0 ]; then
|
||||||
|
crit "$PATTERN is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply () {
|
||||||
does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN"
|
SEARCH_RES=0
|
||||||
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
if [ $SEARCH_RES = 1 ]; then break; fi
|
||||||
|
if test -d $FILE_SEARCHED; then
|
||||||
|
debug "$FILE_SEARCHED is a directory"
|
||||||
|
for file_in_dir in $(ls $FILE_SEARCHED); do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
SEARCH_RES=1
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ $SEARCH_RES = 0 ]; then
|
||||||
warn "$PATTERN is not present in $FILES_TO_SEARCH"
|
warn "$PATTERN is not present in $FILES_TO_SEARCH"
|
||||||
touch $FILE
|
touch $FILE
|
||||||
chmod 644 $FILE
|
chmod 644 $FILE
|
||||||
@ -46,8 +92,6 @@ ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authoriz
|
|||||||
# PS2-USB converter
|
# PS2-USB converter
|
||||||
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"
|
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"
|
||||||
'
|
'
|
||||||
else
|
|
||||||
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user