diff --git a/bin/hardening/8.2.4_set_logfile_perm.sh b/bin/hardening/8.2.4_set_logfile_perm.sh index bf2f72b..f2efcf5 100755 --- a/bin/hardening/8.2.4_set_logfile_perm.sh +++ b/bin/hardening/8.2.4_set_logfile_perm.sh @@ -12,13 +12,13 @@ set -e # One error, it's over set -u # One variable unset, it's over -FILES=$(grep "file(" /etc/syslog-ng/syslog-ng.conf | grep '"' | cut -d'"' -f 2) PERMISSIONS='640' USER='root' GROUP='adm' # This function will be called if the script status is on enabled / audit mode audit () { + FILES=$(grep "file(" $SYSLOG_BASEDIR/syslog-ng.conf | grep '"' | cut -d'"' -f 2) for FILE in $FILES; do has_file_correct_ownership $FILE $USER $GROUP if [ $FNRET = 0 ]; then diff --git a/bin/hardening/8.2.5_syslog-ng_remote_host.sh b/bin/hardening/8.2.5_syslog-ng_remote_host.sh new file mode 100755 index 0000000..5937650 --- /dev/null +++ b/bin/hardening/8.2.5_syslog-ng_remote_host.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.2.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +#destination d_httpd_error { tcp("10.1.0.31" log_fifo_size(100000000) template("<187>$MSGHDR$MSG\n") template_escape(no)); }; + +PATTERN='^destination.*(tcp|udp)[[:space:]]*\([[:space:]]*\".*\"[[:space:]]*\)' +FILES='/etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/conf.d/*' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file "$FILES" "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILES" + else + ok "$PATTERN present in $FILES" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file "$FILES" "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILES, please set a remote host to send your logs" + else + ok "$PATTERN present in $FILES" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.2.6_remote_syslog-ng_acl.sh b/bin/hardening/8.2.6_remote_syslog-ng_acl.sh new file mode 100755 index 0000000..c307c73 --- /dev/null +++ b/bin/hardening/8.2.6_remote_syslog-ng_acl.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.3.1_install_tripwire.sh b/bin/hardening/8.3.1_install_tripwire.sh new file mode 100755 index 0000000..fddce71 --- /dev/null +++ b/bin/hardening/8.3.1_install_tripwire.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.2.1 Install the syslog-ng package (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# NB : in CIS, AIDE has been chosen, however we chose tripwire +PACKAGE='tripwire' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + info "Tripwire is now installed but not fully functionnal, please see readme to go further" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/postinstall/tripwire.sh b/bin/postinstall/tripwire.sh new file mode 100755 index 0000000..bb043e7 --- /dev/null +++ b/bin/postinstall/tripwire.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# If you followed this CIS hardenning, this script follows 8.3.1_install_tripwire.sh +# After installing tripwire, you may want to run those few commented commands to make it fully functionnal + +echo "Generating Site key file..." +twadmin -m G -S /etc/tripwire/site.key # Generates Site key file +echo "Generating Local key file..." +twadmin -m G -S /etc/tripwire/$(hostname -f)-local.key # Generate local key file +echo "Generating encrypted policy..." +twadmin -m P /etc/tripwire/twpol.txt # Apply new policy with generated site key file +echo "Generating Local database with newly created key..." +/usr/sbin/twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt # Init database with generated local key file +echo "Testing tripwire database update" +tripwire -m i # Test configuration update +~ diff --git a/etc/conf.d/8.2.4_set_logfile_perm.cfg b/etc/conf.d/8.2.4_set_logfile_perm.cfg index e1e4502..83a0977 100644 --- a/etc/conf.d/8.2.4_set_logfile_perm.cfg +++ b/etc/conf.d/8.2.4_set_logfile_perm.cfg @@ -1,2 +1,3 @@ # Configuration for script of same name status=enabled +SYSLOG_BASEDIR='/etc/syslog-ng' diff --git a/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg b/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg b/etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.3.1_install_tripwire.cfg b/etc/conf.d/8.3.1_install_tripwire.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.3.1_install_tripwire.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index bdad3dd..384a15f 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -44,17 +44,6 @@ set_sysctl_param() { fi } -# -# Network -# - -is_ipv6_disabled_by_bootloader() { - #if - # - : -} - - # # Dmesg #