From 08da17be2466b8af2f4c8007a842c68afceb9567 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Fri, 1 Apr 2016 09:52:39 +0200 Subject: [PATCH 1/2] hardening : building basic configuration --- bin/hardening/1.1_Install_Updates.sh | 61 ++++++++++++++++++++++++++-- etc/conf.d/.gitignore | 1 + etc/hardening.cfg | 5 ++- lib/common.sh | 4 +- src/skel.sh | 44 ++++++++++++++++---- 5 files changed, 101 insertions(+), 14 deletions(-) diff --git a/bin/hardening/1.1_Install_Updates.sh b/bin/hardening/1.1_Install_Updates.sh index b79db85..7f0daf9 100644 --- a/bin/hardening/1.1_Install_Updates.sh +++ b/bin/hardening/1.1_Install_Updates.sh @@ -5,17 +5,70 @@ # # -# 1.1 Install Updates, Patches and Additional Security Software (Not Scored) +# Hardening script skeleton replace this line with proper point treated # -# This function will be called if the script status is ont enabled / audit mode -audit () { +set -e # One error, it's over +set -u # One variable unset, it's over +# This function will be called if the script status is on enabled / audit mode +audit () { + : } # This function will be called if the script status is on enabled mode apply () { - + : } +# Environment Sanitizing +export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' +# Source Root Dir Parameter + +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +LONG_SCRIPT_NAME=$(basename $0) +SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} +# Variable initialization, to avoid crash +status="" +params="" + +[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh +[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh +[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh + +# Source general configuration file and Specific configuration file if exist + +[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg + +logger "Working on $SCRIPT_NAME" + +if [ -z $status ]; then + logger "Could not find status variable for $SCRIPT_NAME, considered as disabled" + exit 0 +fi + +case $status in + enabled | true ) + audit $params # Perform audit + apply $params # Perform hardening + ;; + audit ) + audit $params # Perform audit + ;; + disabled | false ) + logger "$SCRIPT_NAME is disabled, ignoring" + ;; + *) + logger "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]" + ;; +esac diff --git a/etc/conf.d/.gitignore b/etc/conf.d/.gitignore index e69de29..7103328 100644 --- a/etc/conf.d/.gitignore +++ b/etc/conf.d/.gitignore @@ -0,0 +1 @@ +*.cfg diff --git a/etc/hardening.cfg b/etc/hardening.cfg index 7038654..e23f0a7 100644 --- a/etc/hardening.cfg +++ b/etc/hardening.cfg @@ -1,2 +1,5 @@ # CIS Debian 7 Hardening -# Main Configuration File +# Main Configuration File, put here global variables + +# Valid values are verbose info warning error +LOGLEVEL=verbose diff --git a/lib/common.sh b/lib/common.sh index e7d869a..96294c4 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -2,6 +2,6 @@ logger() { test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0) - logger -i -t "$SCRIPT_NAME" -p "user.info" "$(date +%Y.%m.%d-%H:%M:%S) $*" - test -t 1 && echo "$(date +%Z-%Y.%m.%d-%H:%M:%S) $*" + /usr/bin/logger -i -t "$SCRIPT_NAME" -p "user.info" "$*" + test -t 1 && echo "$*" } diff --git a/src/skel.sh b/src/skel.sh index 0d5b59b..d1802aa 100644 --- a/src/skel.sh +++ b/src/skel.sh @@ -4,19 +4,21 @@ # CIS Debian 7 Hardening # - # # Hardening script skeleton replace this line with proper point treated # -# This function will be called if the script status is ont enabled / audit mode -audit () { +set -e # One error, it's over +set -u # One variable unset, it's over +# This function will be called if the script status is on enabled / audit mode +audit () { + : } # This function will be called if the script status is on enabled mode apply () { - + : } # Environment Sanitizing @@ -34,11 +36,39 @@ else fi fi -SCRIPT_NAME=$(basename $0) +LONG_SCRIPT_NAME=$(basename $0) +SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} +# Variable initialization, to avoid crash +status="" +params="" +[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh +[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh +[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh +[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg # Source general configuration file and Specific configuration file if exist -[ -r $ROOT_DIR/etc/hardening.cfg ] && . $ROOT_DIR/etc/hardening.cfg -[ -r $ROOT_DIR/etc/hardening/$SCRIPT_NAME ] && . $ROOT_DIR/etc/hardening/$SCRIPT_NAME +[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg +logger "Working on $SCRIPT_NAME" +if [ -z $status ]; then + logger "Could not find status variable for $SCRIPT_NAME, considered as disabled" + exit 0 +fi + +case $status in + enabled | true ) + audit $params # Perform audit + apply $params # Perform hardening + ;; + audit ) + audit $params # Perform audit + ;; + disabled | false ) + logger "$SCRIPT_NAME is disabled, ignoring" + ;; + *) + logger "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]" + ;; +esac From 1a41e2f5929b13310d92e9cc26cfac419bc21756 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Fri, 1 Apr 2016 16:48:31 +0200 Subject: [PATCH 2/2] skeleton --- README | 1 + bin/hardening/1.1_Install_Updates.sh | 46 +++-------------- etc/conf.d/.gitignore | 1 - etc/conf.d/1.1_Install_Updates.cfg | 2 + etc/hardening.cfg | 4 +- lib/common.sh | 49 ++++++++++++++++-- lib/constants.sh | 10 ++-- lib/main.sh | 41 +++++++++++++++ src/skel | 41 +++++++++++++++ src/skel.sh | 74 ---------------------------- 10 files changed, 145 insertions(+), 124 deletions(-) mode change 100644 => 100755 bin/hardening/1.1_Install_Updates.sh create mode 100644 etc/conf.d/1.1_Install_Updates.cfg create mode 100644 lib/main.sh create mode 100644 src/skel delete mode 100644 src/skel.sh diff --git a/README b/README index 185ad2f..4d4935b 100644 --- a/README +++ b/README @@ -1 +1,2 @@ # CIS Debian 7 Hardening git repository +# This is the code base which will be used to fill CIS hardening requirements diff --git a/bin/hardening/1.1_Install_Updates.sh b/bin/hardening/1.1_Install_Updates.sh old mode 100644 new mode 100755 index 7f0daf9..40d0d5a --- a/bin/hardening/1.1_Install_Updates.sh +++ b/bin/hardening/1.1_Install_Updates.sh @@ -5,7 +5,7 @@ # # -# Hardening script skeleton replace this line with proper point treated +# 1.1 Install Updates, Patches and Additional Security Software (Not Scored) # set -e # One error, it's over @@ -21,11 +21,12 @@ apply () { : } -# Environment Sanitizing -export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' +# This function will check config parameters required +check_config() { + : +} # Source Root Dir Parameter - if [ ! -r /etc/default/cis-hardenning ]; then echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" exit 128 @@ -36,39 +37,4 @@ else fi fi -LONG_SCRIPT_NAME=$(basename $0) -SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} -# Variable initialization, to avoid crash -status="" -params="" - -[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh -[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh -[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh - -# Source general configuration file and Specific configuration file if exist - -[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg - -logger "Working on $SCRIPT_NAME" - -if [ -z $status ]; then - logger "Could not find status variable for $SCRIPT_NAME, considered as disabled" - exit 0 -fi - -case $status in - enabled | true ) - audit $params # Perform audit - apply $params # Perform hardening - ;; - audit ) - audit $params # Perform audit - ;; - disabled | false ) - logger "$SCRIPT_NAME is disabled, ignoring" - ;; - *) - logger "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]" - ;; -esac +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/.gitignore b/etc/conf.d/.gitignore index 7103328..e69de29 100644 --- a/etc/conf.d/.gitignore +++ b/etc/conf.d/.gitignore @@ -1 +0,0 @@ -*.cfg diff --git a/etc/conf.d/1.1_Install_Updates.cfg b/etc/conf.d/1.1_Install_Updates.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/1.1_Install_Updates.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/hardening.cfg b/etc/hardening.cfg index e23f0a7..0d0c454 100644 --- a/etc/hardening.cfg +++ b/etc/hardening.cfg @@ -1,5 +1,5 @@ # CIS Debian 7 Hardening # Main Configuration File, put here global variables -# Valid values are verbose info warning error -LOGLEVEL=verbose +# Valid values are debug info warning error +LOGLEVEL=debug diff --git a/lib/common.sh b/lib/common.sh index 96294c4..1a64f3d 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -1,7 +1,50 @@ # CIS Debian 7 Hardening common functions -logger() { +# Logging functions + +case $LOGLEVEL in + error ) + MACHINE_LOG_LEVEL=1 + ;; + warning ) + MACHINE_LOG_LEVEL=2 + ;; + info ) + MACHINE_LOG_LEVEL=3 + ;; + debug ) + MACHINE_LOG_LEVEL=4 + ;; + *) + MACHINE_LOG_LEVEL=3 ## Default loglevel value to info +esac + +_logger() { + COLOR=$1 + shift test -z "$SCRIPT_NAME" && SCRIPT_NAME=$(basename $0) - /usr/bin/logger -i -t "$SCRIPT_NAME" -p "user.info" "$*" - test -t 1 && echo "$*" + /usr/bin/logger -t "[CIS_Hardening] $SCRIPT_NAME" -p "user.info" "$*" + test -t 1 && cecho $COLOR "$SCRIPT_NAME $*" +} + +cecho () { + COLOR=$1 + shift + echo -e "${COLOR}$*${NC}" +} + +info () { + [ $MACHINE_LOG_LEVEL -ge 3 ] && _logger $BWHITE "[INFO] $*" +} + +warn () { + [ $MACHINE_LOG_LEVEL -ge 2 ] && _logger $BYELLOW "[WARN] $*" +} + +crit () { + [ $MACHINE_LOG_LEVEL -ge 1 ] && _logger $BRED "[ KO ] $*" +} + +debug () { + [ $MACHINE_LOG_LEVEL -ge 4 ] && _logger $GRAY "[DBG ] $*" } diff --git a/lib/constants.sh b/lib/constants.sh index 5d2389e..682a71d 100644 --- a/lib/constants.sh +++ b/lib/constants.sh @@ -21,13 +21,15 @@ # Reset Color (for syslog) NC='\033[0m' - +WHITE='\033[0m' # Colors -RED='\033[1;31m' -GREEN='\033[1;32m' -YELLOW='\033[1;33m' +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[0;33m' +GRAY='\033[0;40m' # Gray # Bold BRED='\033[1;31m' # Red BGREEN='\033[1;32m' # Green BYELLOW='\033[1;33m' # Yellow +BWHITE='\033[1;37m' # White diff --git a/lib/main.sh b/lib/main.sh new file mode 100644 index 0000000..69e554c --- /dev/null +++ b/lib/main.sh @@ -0,0 +1,41 @@ +LONG_SCRIPT_NAME=$(basename $0) +SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} +# Variable initialization, to avoid crash +status="" + +[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh +[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg +[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh +[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh + +# Source specific configuration file +[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg + +# Environment Sanitizing +export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' + +info "Working on $SCRIPT_NAME" + +if [ -z $status ]; then + crit "Could not find status variable for $SCRIPT_NAME, considered as disabled" + exit 0 +fi + +case $status in + enabled | true ) + info "Performing audit" + audit # Perform audit + info "Applying Hardening" + apply # Perform hardening + ;; + audit ) + info "Performing audit" + audit # Perform audit + ;; + disabled | false ) + info "$SCRIPT_NAME is disabled, ignoring" + ;; + *) + warn "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]" + ;; +esac diff --git a/src/skel b/src/skel new file mode 100644 index 0000000..eb6a710 --- /dev/null +++ b/src/skel @@ -0,0 +1,41 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# Hardening script skeleton replace this line with proper point treated +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/src/skel.sh b/src/skel.sh deleted file mode 100644 index d1802aa..0000000 --- a/src/skel.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/bash - -# -# CIS Debian 7 Hardening -# - -# -# Hardening script skeleton replace this line with proper point treated -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -# This function will be called if the script status is on enabled / audit mode -audit () { - : -} - -# This function will be called if the script status is on enabled mode -apply () { - : -} - -# Environment Sanitizing -export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' - -# Source Root Dir Parameter - -if [ ! -r /etc/default/cis-hardenning ]; then - echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" - exit 128 -else - . /etc/default/cis-hardenning - if [ -z $CIS_ROOT_DIR ]; then - echo "No CIS_ROOT_DIR variable, aborting" - fi -fi - -LONG_SCRIPT_NAME=$(basename $0) -SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} -# Variable initialization, to avoid crash -status="" -params="" - -[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh -[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh -[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh -[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg -# Source general configuration file and Specific configuration file if exist - -[ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] && . $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg - -logger "Working on $SCRIPT_NAME" - -if [ -z $status ]; then - logger "Could not find status variable for $SCRIPT_NAME, considered as disabled" - exit 0 -fi - -case $status in - enabled | true ) - audit $params # Perform audit - apply $params # Perform hardening - ;; - audit ) - audit $params # Perform audit - ;; - disabled | false ) - logger "$SCRIPT_NAME is disabled, ignoring" - ;; - *) - logger "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]" - ;; -esac