99.1_timeout_tty.sh 99.2_disable_usb_devices.sh

This commit is contained in:
thibault.dewailly 2016-04-18 11:16:05 +02:00
parent 756fce8c2e
commit 57121f116c
6 changed files with 244 additions and 8 deletions

107
bin/hardening.sh Normal file → Executable file
View File

@ -1,6 +1,5 @@
#!/bin/bash #!/bin/bash
# CIs Deb
# #
# CIS Debian 7 Hardening # CIS Debian 7 Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com> # Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
@ -15,8 +14,106 @@
# ls | sort -V # ls | sort -V
cd /opt/cis-hardening/bin/hardening LONG_SCRIPT_NAME=$(basename $0)
for i in $(ls | sort -V); do SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
echo "$i" DISABLED_CHECKS=0
./$i --audit PASSED_CHECKS=0
FAILED_CHECKS=0
TOTAL_CHECKS=0
TOTAL_TREATED_CHECKS=0
AUDIT=0
APPLY=0
usage() {
cat << EOF
$LONG_SCRIPT_NAME ( --apply | -- audit ) < -h | --help >
--apply : Apply hardening if told in configuration
--audit : If script not disabled, audit configuration only
-h|--help : this help
EOF
exit 0
}
if [ $# = 0 ]; then
usage
fi
# Arguments parsing
while [[ $# > 0 ]]; do
ARG="$1"
case $ARG in
--audit)
AUDIT=1
;;
--apply)
APPLY=1
;;
-h|--help)
usage
;;
*)
usage
;;
esac
shift
done done
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
# Parse every scripts and execute them in the required mode
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening | sort -V); do
info "Treating $SCRIPT"
if [ $AUDIT = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit"
$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit
elif [ $APPLY = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
$CIS_ROOT_DIR/bin/hardening/$SCRIPT
fi
SCRIPT_EXITCODE=$?
debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
case $SCRIPT_EXITCODE in
0)
debug "$SCRIPT passed"
PASSED_CHECKS=$((PASSED_CHECKS+1))
;;
1)
debug "$SCRIPT failed"
FAILED_CHECKS=$((FAILED_CHECKS+1))
;;
2)
debug "$SCRIPT is disabled"
DISABLED_CHECKS=$((DISABLED_CHECKS+1))
;;
esac
TOTAL_CHECKS=$((TOTAL_CHECKS+1))
done
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
printf "%40s\n" "################### SUMMARY ###################"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s %.2f %%\n" "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)"
printf "%30s %.2f %%\n" "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)"

View File

@ -13,8 +13,8 @@ set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
USER='root' USER='root'
PATTERN='umask 644' PATTERN='umask 077'
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/*' FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile'
FILE='/etc/profile.d/CIS_10.4_umask.sh' FILE='/etc/profile.d/CIS_10.4_umask.sh'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -33,7 +33,7 @@ apply () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$PATTERN not present in $FILES_TO_SEARCH" warn "$PATTERN not present in $FILES_TO_SEARCH"
touch $FILE touch $FILE
chmod 700 $FILE chmod 644 $FILE
add_end_of_file $FILE "$PATTERN" add_end_of_file $FILE "$PATTERN"
else else
ok "$PATTERN present in $FILES_TO_SEARCH" ok "$PATTERN present in $FILES_TO_SEARCH"

View File

@ -0,0 +1,63 @@
#!/bin/bash
#
# CIS Debian 7 Hardening /!\ Not in the Guide
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
#
#
# 99.1 Set Timeout on ttys
#
set -e # One error, it's over
set -u # One variable unset, it's over
USER='root'
PATTERN='^TMOUT='
VALUE='600'
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile'
FILE='/etc/profile.d/CIS_99.1_timeout.sh'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN"
if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILES_TO_SEARCH"
else
ok "$PATTERN present in $FILES_TO_SEARCH"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN"
if [ $FNRET != 0 ]; then
warn "$PATTERN not present in $FILES_TO_SEARCH"
touch $FILE
chmod 644 $FILE
add_end_of_file $FILE "$PATTERN$VALUE"
add_end_of_file $FILE "readonly TMOUT"
add_end_of_file $FILE "export TMOUT"
else
ok "$PATTERN present in $FILES_TO_SEARCH"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,72 @@
#!/bin/bash
#
# CIS Debian 7 Hardening /!\ Not in the Guide
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
#
#
# 99.2 Disable USB Devices
#
set -e # One error, it's over
set -u # One variable unset, it's over
USER='root'
PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' # We do test disabled by default, whitelist is up to you
FILES_TO_SEARCH='/etc/udev/rules.d/*'
FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN"
if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILES_TO_SEARCH"
else
ok "$PATTERN present in $FILES_TO_SEARCH"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN"
if [ $FNRET != 0 ]; then
warn "$PATTERN not present in $FILES_TO_SEARCH"
touch $FILE
chmod 644 $FILE
add_end_of_file $FILE '
# By default, disable all.
ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
# Enable hub devices.
ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1"
# Enables keyboard devices
ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1"
# PS2-USB converter
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"
'
else
ok "$PATTERN present in $FILES_TO_SEARCH"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled