mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-24 15:05:24 +01:00
99.1_timeout_tty.sh 99.2_disable_usb_devices.sh
This commit is contained in:
parent
756fce8c2e
commit
57121f116c
107
bin/hardening.sh
Normal file → Executable file
107
bin/hardening.sh
Normal file → Executable file
@ -1,6 +1,5 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# CIs Deb
|
|
||||||
#
|
#
|
||||||
# CIS Debian 7 Hardening
|
# CIS Debian 7 Hardening
|
||||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
@ -15,8 +14,106 @@
|
|||||||
|
|
||||||
# ls | sort -V
|
# ls | sort -V
|
||||||
|
|
||||||
cd /opt/cis-hardening/bin/hardening
|
LONG_SCRIPT_NAME=$(basename $0)
|
||||||
for i in $(ls | sort -V); do
|
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
|
||||||
echo "$i"
|
DISABLED_CHECKS=0
|
||||||
./$i --audit
|
PASSED_CHECKS=0
|
||||||
|
FAILED_CHECKS=0
|
||||||
|
TOTAL_CHECKS=0
|
||||||
|
TOTAL_TREATED_CHECKS=0
|
||||||
|
AUDIT=0
|
||||||
|
APPLY=0
|
||||||
|
|
||||||
|
usage() {
|
||||||
|
cat << EOF
|
||||||
|
$LONG_SCRIPT_NAME ( --apply | -- audit ) < -h | --help >
|
||||||
|
--apply : Apply hardening if told in configuration
|
||||||
|
--audit : If script not disabled, audit configuration only
|
||||||
|
-h|--help : this help
|
||||||
|
EOF
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ $# = 0 ]; then
|
||||||
|
usage
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Arguments parsing
|
||||||
|
while [[ $# > 0 ]]; do
|
||||||
|
ARG="$1"
|
||||||
|
case $ARG in
|
||||||
|
--audit)
|
||||||
|
AUDIT=1
|
||||||
|
;;
|
||||||
|
--apply)
|
||||||
|
APPLY=1
|
||||||
|
;;
|
||||||
|
-h|--help)
|
||||||
|
usage
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
usage
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
shift
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
|
||||||
|
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
|
||||||
|
|
||||||
|
# Parse every scripts and execute them in the required mode
|
||||||
|
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening | sort -V); do
|
||||||
|
info "Treating $SCRIPT"
|
||||||
|
|
||||||
|
if [ $AUDIT = 1 ]; then
|
||||||
|
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit"
|
||||||
|
$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit
|
||||||
|
elif [ $APPLY = 1 ]; then
|
||||||
|
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
|
||||||
|
$CIS_ROOT_DIR/bin/hardening/$SCRIPT
|
||||||
|
fi
|
||||||
|
|
||||||
|
SCRIPT_EXITCODE=$?
|
||||||
|
|
||||||
|
debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
|
||||||
|
case $SCRIPT_EXITCODE in
|
||||||
|
0)
|
||||||
|
debug "$SCRIPT passed"
|
||||||
|
PASSED_CHECKS=$((PASSED_CHECKS+1))
|
||||||
|
;;
|
||||||
|
1)
|
||||||
|
debug "$SCRIPT failed"
|
||||||
|
FAILED_CHECKS=$((FAILED_CHECKS+1))
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
debug "$SCRIPT is disabled"
|
||||||
|
DISABLED_CHECKS=$((DISABLED_CHECKS+1))
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
TOTAL_CHECKS=$((TOTAL_CHECKS+1))
|
||||||
|
|
||||||
|
done
|
||||||
|
|
||||||
|
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
|
||||||
|
|
||||||
|
printf "%40s\n" "################### SUMMARY ###################"
|
||||||
|
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
|
||||||
|
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
|
||||||
|
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
|
||||||
|
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
|
||||||
|
printf "%30s %.2f %%\n" "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)"
|
||||||
|
printf "%30s %.2f %%\n" "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)"
|
||||||
|
@ -13,8 +13,8 @@ set -e # One error, it's over
|
|||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
USER='root'
|
USER='root'
|
||||||
PATTERN='umask 644'
|
PATTERN='umask 077'
|
||||||
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/*'
|
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile'
|
||||||
FILE='/etc/profile.d/CIS_10.4_umask.sh'
|
FILE='/etc/profile.d/CIS_10.4_umask.sh'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
@ -33,7 +33,7 @@ apply () {
|
|||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
warn "$PATTERN not present in $FILES_TO_SEARCH"
|
warn "$PATTERN not present in $FILES_TO_SEARCH"
|
||||||
touch $FILE
|
touch $FILE
|
||||||
chmod 700 $FILE
|
chmod 644 $FILE
|
||||||
add_end_of_file $FILE "$PATTERN"
|
add_end_of_file $FILE "$PATTERN"
|
||||||
else
|
else
|
||||||
ok "$PATTERN present in $FILES_TO_SEARCH"
|
ok "$PATTERN present in $FILES_TO_SEARCH"
|
||||||
|
63
bin/hardening/99.1_timeout_tty.sh
Executable file
63
bin/hardening/99.1_timeout_tty.sh
Executable file
@ -0,0 +1,63 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening /!\ Not in the Guide
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 99.1 Set Timeout on ttys
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
USER='root'
|
||||||
|
PATTERN='^TMOUT='
|
||||||
|
VALUE='600'
|
||||||
|
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile'
|
||||||
|
FILE='/etc/profile.d/CIS_99.1_timeout.sh'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PATTERN not present in $FILES_TO_SEARCH"
|
||||||
|
else
|
||||||
|
ok "$PATTERN present in $FILES_TO_SEARCH"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "$PATTERN not present in $FILES_TO_SEARCH"
|
||||||
|
touch $FILE
|
||||||
|
chmod 644 $FILE
|
||||||
|
add_end_of_file $FILE "$PATTERN$VALUE"
|
||||||
|
add_end_of_file $FILE "readonly TMOUT"
|
||||||
|
add_end_of_file $FILE "export TMOUT"
|
||||||
|
else
|
||||||
|
ok "$PATTERN present in $FILES_TO_SEARCH"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
72
bin/hardening/99.2_disable_usb_devices.sh
Executable file
72
bin/hardening/99.2_disable_usb_devices.sh
Executable file
@ -0,0 +1,72 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening /!\ Not in the Guide
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 99.2 Disable USB Devices
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
USER='root'
|
||||||
|
PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' # We do test disabled by default, whitelist is up to you
|
||||||
|
FILES_TO_SEARCH='/etc/udev/rules.d/*'
|
||||||
|
FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PATTERN not present in $FILES_TO_SEARCH"
|
||||||
|
else
|
||||||
|
ok "$PATTERN present in $FILES_TO_SEARCH"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "$PATTERN not present in $FILES_TO_SEARCH"
|
||||||
|
touch $FILE
|
||||||
|
chmod 644 $FILE
|
||||||
|
add_end_of_file $FILE '
|
||||||
|
# By default, disable all.
|
||||||
|
ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
|
||||||
|
|
||||||
|
# Enable hub devices.
|
||||||
|
ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1"
|
||||||
|
|
||||||
|
# Enables keyboard devices
|
||||||
|
ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1"
|
||||||
|
|
||||||
|
# PS2-USB converter
|
||||||
|
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"
|
||||||
|
'
|
||||||
|
else
|
||||||
|
ok "$PATTERN present in $FILES_TO_SEARCH"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
2
etc/conf.d/99.1_timeout_tty.cfg
Normal file
2
etc/conf.d/99.1_timeout_tty.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/99.2_disable_usb_devices.cfg
Normal file
2
etc/conf.d/99.2_disable_usb_devices.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
Loading…
Reference in New Issue
Block a user