From 40fb536d4eb9543b426bc3b80e04fb3769faf393 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Wed, 17 Feb 2021 11:51:51 +0100 Subject: [PATCH] Add missing HARDENING_LEVEL (#44) Co-authored-by: GoldenKiwi --- bin/hardening/99.1.1.23_disable_usb_devices.sh | 3 +++ bin/hardening/99.1.3_acc_sudoers_no_all.sh | 2 ++ bin/hardening/99.5.2.3_ssh_disable_features.sh | 1 + bin/hardening/99.5.2.4_ssh_keys_from.sh | 2 ++ bin/hardening/99.5.2.5_ssh_strict_modes.sh | 4 +++- bin/hardening/99.5.2.7_ssh_sys_no_legacy.sh | 3 +++ bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh | 6 ++++-- bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh | 2 ++ 8 files changed, 20 insertions(+), 3 deletions(-) diff --git a/bin/hardening/99.1.1.23_disable_usb_devices.sh b/bin/hardening/99.1.1.23_disable_usb_devices.sh index 85754b2..13da243 100755 --- a/bin/hardening/99.1.1.23_disable_usb_devices.sh +++ b/bin/hardening/99.1.1.23_disable_usb_devices.sh @@ -13,6 +13,9 @@ set -e # One error, it's over set -u # One variable unset, it's over USER='root' + +# shellcheck disable=2034 +HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="USB devices are disabled." diff --git a/bin/hardening/99.1.3_acc_sudoers_no_all.sh b/bin/hardening/99.1.3_acc_sudoers_no_all.sh index e67239f..d12fb42 100755 --- a/bin/hardening/99.1.3_acc_sudoers_no_all.sh +++ b/bin/hardening/99.1.3_acc_sudoers_no_all.sh @@ -12,6 +12,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 +HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Checks there are no carte-blanche authorization in sudoers file(s)." diff --git a/bin/hardening/99.5.2.3_ssh_disable_features.sh b/bin/hardening/99.5.2.3_ssh_disable_features.sh index 8428f69..4e57b66 100755 --- a/bin/hardening/99.5.2.3_ssh_disable_features.sh +++ b/bin/hardening/99.5.2.3_ssh_disable_features.sh @@ -13,6 +13,7 @@ set -e # One error, it's over set -u # One variable unset, it's over # shellcheck disable=2034 +HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Check all special features in sshd_config are disabled" diff --git a/bin/hardening/99.5.2.4_ssh_keys_from.sh b/bin/hardening/99.5.2.4_ssh_keys_from.sh index 3e36c2c..6377a44 100755 --- a/bin/hardening/99.5.2.4_ssh_keys_from.sh +++ b/bin/hardening/99.5.2.4_ssh_keys_from.sh @@ -12,6 +12,8 @@ set -e # One error, it is over set -u # One variable unset, it is over +# shellcheck disable=2034 +HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Check field in ssh authorized keys files for users with login shell, and allowed IP if available." diff --git a/bin/hardening/99.5.2.5_ssh_strict_modes.sh b/bin/hardening/99.5.2.5_ssh_strict_modes.sh index acde7e3..f373e56 100755 --- a/bin/hardening/99.5.2.5_ssh_strict_modes.sh +++ b/bin/hardening/99.5.2.5_ssh_strict_modes.sh @@ -13,7 +13,9 @@ set -e # One error, it's over set -u # One variable unset, it's over # shellcheck disable=2034 -DESCRIPTION="Ensure home directory and ssh sensitive files are verified (not publicly readable) before connecting." +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="Ensure home directory and ssh sensitive files are verified (not publicly readable) before connecting." PACKAGE='openssh-server' OPTIONS='StrictModes=yes' diff --git a/bin/hardening/99.5.2.7_ssh_sys_no_legacy.sh b/bin/hardening/99.5.2.7_ssh_sys_no_legacy.sh index 24d9cb6..1c57951 100755 --- a/bin/hardening/99.5.2.7_ssh_sys_no_legacy.sh +++ b/bin/hardening/99.5.2.7_ssh_sys_no_legacy.sh @@ -12,8 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 +HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Ensure that legacy services rlogin, rlogind and rcp are disabled and not installed" + # shellcheck disable=2034 SERVICES="rlogin rlogind rcp" diff --git a/bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh b/bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh index 57fdd87..a706c8b 100755 --- a/bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh +++ b/bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh @@ -6,14 +6,16 @@ # # -# 99.5.4.5.1 Check that any password that may exist in /etc/shadow is SHA512 hashed and salted +# 99.5.4.5.1 Check that any password that will be created will be SHA512 hashed and salted # set -e # One error, it's over set -u # One variable unset, it's over # shellcheck disable=2034 -DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted" +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="Check that any password that will be created will be SHA512 hashed and salted" CONF_FILE="/etc/login.defs" CONF_LINE="ENCRYPT_METHOD SHA512" diff --git a/bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh b/bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh index 93c7179..9613aa3 100755 --- a/bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh +++ b/bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh @@ -12,6 +12,8 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 +HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted" FILE="/etc/shadow"