diff --git a/README b/README index 185ad2f..4d4935b 100644 --- a/README +++ b/README @@ -1 +1,2 @@ # CIS Debian 7 Hardening git repository +# This is the code base which will be used to fill CIS hardening requirements diff --git a/bin/hardening/1.1_Install_Updates.sh b/bin/hardening/1.1_Install_Updates.sh old mode 100644 new mode 100755 index b79db85..40d0d5a --- a/bin/hardening/1.1_Install_Updates.sh +++ b/bin/hardening/1.1_Install_Updates.sh @@ -8,14 +8,33 @@ # 1.1 Install Updates, Patches and Additional Security Software (Not Scored) # -# This function will be called if the script status is ont enabled / audit mode -audit () { +set -e # One error, it's over +set -u # One variable unset, it's over +# This function will be called if the script status is on enabled / audit mode +audit () { + : } # This function will be called if the script status is on enabled mode apply () { - + : } +# This function will check config parameters required +check_config() { + : +} +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/1.1_Install_Updates.cfg b/etc/conf.d/1.1_Install_Updates.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/1.1_Install_Updates.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/hardening.cfg b/etc/hardening.cfg index 7038654..0d0c454 100644 --- a/etc/hardening.cfg +++ b/etc/hardening.cfg @@ -1,2 +1,5 @@ # CIS Debian 7 Hardening -# Main Configuration File +# Main Configuration File, put here global variables + +# Valid values are debug info warning error +LOGLEVEL=debug diff --git a/lib/common.sh b/lib/common.sh index e7d869a..1a64f3d 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -1,7 +1,50 @@ # CIS Debian 7 Hardening common functions -logger() { +# Logging functions + +case $LOGLEVEL in + error ) + MACHINE_LOG_LEVEL=1 + ;; + warning ) + MACHINE_LOG_LEVEL=2 + ;; + info ) + MACHINE_LOG_LEVEL=3 + ;; + debug ) + MACHINE_LOG_LEVEL=4 + ;; + *) + MACHINE_LOG_LEVEL=3 ## Default loglevel value to info +esac + +_logger() { + COLOR=$1 + shift test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0) - logger -i -t "$SCRIPT_NAME" -p "user.info" "$(date +%Y.%m.%d-%H:%M:%S) $*" - test -t 1 && echo "$(date +%Z-%Y.%m.%d-%H:%M:%S) $*" + /usr/bin/logger -t "[CIS_Hardening] $SCRIPT_NAME" -p "user.info" "$*" + test -t 1 && cecho $COLOR "$SCRIPT_NAME $*" +} + +cecho () { + COLOR=$1 + shift + echo -e "${COLOR}$*${NC}" +} + +info () { + [ $MACHINE_LOG_LEVEL -ge 3 ] && _logger $BWHITE "[INFO] $*" +} + +warn () { + [ $MACHINE_LOG_LEVEL -ge 2 ] && _logger $BYELLOW "[WARN] $*" +} + +crit () { + [ $MACHINE_LOG_LEVEL -ge 1 ] && _logger $BRED "[ KO ] $*" +} + +debug () { + [ $MACHINE_LOG_LEVEL -ge 4 ] && _logger $GRAY "[DBG ] $*" } diff --git a/lib/constants.sh b/lib/constants.sh index 5d2389e..682a71d 100644 --- a/lib/constants.sh +++ b/lib/constants.sh @@ -21,13 +21,15 @@ # Reset Color (for syslog) NC='\033[0m' - +WHITE='\033[0m' # Colors -RED='\033[1;31m' -GREEN='\033[1;32m' -YELLOW='\033[1;33m' +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[0;33m' +GRAY='\033[0;40m' # Gray # Bold BRED='\033[1;31m' # Red BGREEN='\033[1;32m' # Green BYELLOW='\033[1;33m' # Yellow +BWHITE='\033[1;37m' # White diff --git a/lib/main.sh b/lib/main.sh new file mode 100644 index 0000000..69e554c --- /dev/null +++ b/lib/main.sh @@ -0,0 +1,41 @@ +LONG_SCRIPT_NAME=$(basename $0) +SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} +# Variable initialization, to avoid crash +status="" + +[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh +[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg +[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh +[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh + +# Source specific configuration file +[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg + +# Environment Sanitizing +export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' + +info "Working on $SCRIPT_NAME" + +if [ -z $status ]; then + crit "Could not find status variable for $SCRIPT_NAME, considered as disabled" + exit 0 +fi + +case $status in + enabled | true ) + info "Performing audit" + audit # Perform audit + info "Applying Hardening" + apply # Perform hardening + ;; + audit ) + info "Performing audit" + audit # Perform audit + ;; + disabled | false ) + info "$SCRIPT_NAME is disabled, ignoring" + ;; + *) + warn "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]" + ;; +esac diff --git a/src/skel.sh b/src/skel similarity index 55% rename from src/skel.sh rename to src/skel index 0d5b59b..eb6a710 100644 --- a/src/skel.sh +++ b/src/skel @@ -4,26 +4,29 @@ # CIS Debian 7 Hardening # - # # Hardening script skeleton replace this line with proper point treated # -# This function will be called if the script status is ont enabled / audit mode -audit () { +set -e # One error, it's over +set -u # One variable unset, it's over +# This function will be called if the script status is on enabled / audit mode +audit () { + : } # This function will be called if the script status is on enabled mode apply () { - + : } -# Environment Sanitizing -export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' +# This function will check config parameters required +check_config() { + : +} # Source Root Dir Parameter - if [ ! -r /etc/default/cis-hardenning ]; then echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" exit 128 @@ -34,11 +37,5 @@ else fi fi -SCRIPT_NAME=$(basename $0) - -# Source general configuration file and Specific configuration file if exist - -[ -r $ROOT_DIR/etc/hardening.cfg ] && . $ROOT_DIR/etc/hardening.cfg -[ -r $ROOT_DIR/etc/hardening/$SCRIPT_NAME ] && . $ROOT_DIR/etc/hardening/$SCRIPT_NAME - - +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh