diff --git a/README.md b/README.md index 3aeed0c..e14d49e 100644 --- a/README.md +++ b/README.md @@ -85,6 +85,10 @@ specific root read-only files. You need to provide a sudoers file in /etc/sudoer with NOPASWD option, since checks are executed with ``sudo -n`` option, that will not prompt for a password. +``--batch``: While performing system audit, this option sets LOGLEVEL to 'ok' and +captures all output to print only one line once the check is done, formatted like : +OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}] + ## Hacking **Getting the source** diff --git a/bin/hardening.sh b/bin/hardening.sh index d7e22f9..da0283e 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -23,6 +23,7 @@ AUDIT_ALL_ENABLE_PASSED=0 ALLOW_SERVICE_LIST=0 SET_HARDENING_LEVEL=0 SUDO_MODE='' +BATCH_MODE='' usage() { cat << EOF @@ -91,6 +92,11 @@ OPTIONS: the '-n' option instructs sudo not to prompt for a password. Finally note that '--sudo' mode only works for audit mode. + --batch + While performing system audit, this option sets LOGLEVEL to 'ok' and + captures all output to print only one line once the check is done, formatted like : + OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}] + EOF exit 0 } @@ -135,6 +141,10 @@ while [[ $# > 0 ]]; do --sudo) SUDO_MODE='--sudo' ;; + --batch) + BATCH_MODE='--batch' + LOGLEVEL=ok + ;; -h|--help) usage ;; @@ -160,6 +170,8 @@ fi [ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh [ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh +if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi + # If --allow-service-list is specified, don't run anything, just list the supported services if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then declare -a HARDENING_EXCEPTIONS_LIST @@ -206,16 +218,16 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do fi info "Treating $SCRIPT" - + if [ $AUDIT = 1 ]; then - debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE" - $SCRIPT --audit $SUDO_MODE + debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE" + $SCRIPT --audit $SUDO_MODE $BATCH_MODE elif [ $AUDIT_ALL = 1 ]; then - debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE" - $SCRIPT --audit-all $SUDO_MODE + debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE" + $SCRIPT --audit-all $SUDO_MODE $BATCH_MODE elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then - debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE" - $SCRIPT --audit-all $SUDO_MODE + debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE" $BATCH_MODE + $SCRIPT --audit-all $SUDO_MODE $BATCH_MODE elif [ $APPLY = 1 ]; then debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT" $SCRIPT @@ -233,7 +245,7 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do sed -i -re 's/^status=.+/status=enabled/' $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg info "Status set to enabled in $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg" fi - ;; + ;; 1) debug "$SCRIPT failed" FAILED_CHECKS=$((FAILED_CHECKS+1)) @@ -245,19 +257,32 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do esac TOTAL_CHECKS=$((TOTAL_CHECKS+1)) - + done TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS)) -printf "%40s\n" "################### SUMMARY ###################" -printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS" -printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS" -printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS" -printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS" -printf "%30s %.2f %%\n" "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)" -if [ $TOTAL_TREATED_CHECKS != 0 ]; then - printf "%30s %.2f %%\n" "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)" +if [ $BATCH_MODE ]; then + BATCH_SUMMARY="AUDIT_SUMMARY " + BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} " + BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} " + BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}" + if [ $TOTAL_TREATED_CHECKS != 0 ]; then + BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%.2f" $( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l))" + else + BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0 + fi + echo $BATCH_SUMMARY else - printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0 + printf "%40s\n" "################### SUMMARY ###################" + printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS" + printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS" + printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS" + printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS" + printf "%30s %.2f %%\n" "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)" + if [ $TOTAL_TREATED_CHECKS != 0 ]; then + printf "%30s %.2f %%\n" "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)" + else + printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0 + fi fi diff --git a/bin/hardening/1.1_install_updates.sh b/bin/hardening/1.1_install_updates.sh index f73494f..a444778 100755 --- a/bin/hardening/1.1_install_updates.sh +++ b/bin/hardening/1.1_install_updates.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Install updates, patches and additional secutiry software." # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/10.1.1_set_password_exp_days.sh b/bin/hardening/10.1.1_set_password_exp_days.sh index 9a2926f..c78dbaf 100755 --- a/bin/hardening/10.1.1_set_password_exp_days.sh +++ b/bin/hardening/10.1.1_set_password_exp_days.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Set password expiration days." PACKAGE='login' OPTIONS='PASS_MAX_DAYS=90' diff --git a/bin/hardening/10.1.2_set_password_min_days_change.sh b/bin/hardening/10.1.2_set_password_min_days_change.sh index 1e8db4c..cc9dfa7 100755 --- a/bin/hardening/10.1.2_set_password_min_days_change.sh +++ b/bin/hardening/10.1.2_set_password_min_days_change.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Set password change minimum number of days." PACKAGE='login' OPTIONS='PASS_MIN_DAYS=7' diff --git a/bin/hardening/10.1.3_set_password_exp_warning_days.sh b/bin/hardening/10.1.3_set_password_exp_warning_days.sh index 72ea126..dcbaf0a 100755 --- a/bin/hardening/10.1.3_set_password_exp_warning_days.sh +++ b/bin/hardening/10.1.3_set_password_exp_warning_days.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Set password expiration warning days." PACKAGE='login' OPTIONS='PASS_WARN_AGE=7' diff --git a/bin/hardening/10.2_disable_system_accounts.sh b/bin/hardening/10.2_disable_system_accounts.sh index 2bdcc24..3999c39 100755 --- a/bin/hardening/10.2_disable_system_accounts.sh +++ b/bin/hardening/10.2_disable_system_accounts.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Disable system accounts, preventing them from interactive login." SHELL='/bin/false' FILE='/etc/passwd' diff --git a/bin/hardening/10.3_default_root_group.sh b/bin/hardening/10.3_default_root_group.sh index 0ae19d6..cd23287 100755 --- a/bin/hardening/10.3_default_root_group.sh +++ b/bin/hardening/10.3_default_root_group.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Set default group for root account to 0." USER='root' EXPECTED_GID='0' diff --git a/bin/hardening/10.4_default_umask.sh b/bin/hardening/10.4_default_umask.sh index 0d8a32a..a0f9c1f 100755 --- a/bin/hardening/10.4_default_umask.sh +++ b/bin/hardening/10.4_default_umask.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Set default mask for users to 077." USER='root' PATTERN='umask 077' diff --git a/bin/hardening/10.5_lock_inactive_user_account.sh b/bin/hardening/10.5_lock_inactive_user_account.sh index 54c6329..928afb4 100755 --- a/bin/hardening/10.5_lock_inactive_user_account.sh +++ b/bin/hardening/10.5_lock_inactive_user_account.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Lock inactive user accounts." # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/11.1_warning_banners.sh b/bin/hardening/11.1_warning_banners.sh index ad4e390..082d7c8 100755 --- a/bin/hardening/11.1_warning_banners.sh +++ b/bin/hardening/11.1_warning_banners.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Checking root ownership and 644 permissions on banner files : /etc/motd|issue|issue.net ." PERMISSIONS='644' USER='root' diff --git a/bin/hardening/11.2_remove_os_info_warning_banners.sh b/bin/hardening/11.2_remove_os_info_warning_banners.sh index c362a61..1545438 100755 --- a/bin/hardening/11.2_remove_os_info_warning_banners.sh +++ b/bin/hardening/11.2_remove_os_info_warning_banners.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Remove OS information from Login Warning Banners." FILES='/etc/motd /etc/issue /etc/issue.net' PATTERN='(\\v|\\r|\\m|\\s)' diff --git a/bin/hardening/11.3_graphical_warning_banners.sh b/bin/hardening/11.3_graphical_warning_banners.sh index 599363b..bfb5e01 100755 --- a/bin/hardening/11.3_graphical_warning_banners.sh +++ b/bin/hardening/11.3_graphical_warning_banners.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Set graphical warning banner." # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/12.10_find_suid_files.sh b/bin/hardening/12.10_find_suid_files.sh index a361ca8..6968968 100755 --- a/bin/hardening/12.10_find_suid_files.sh +++ b/bin/hardening/12.10_find_suid_files.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Find SUID system executables." # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/12.11_find_sgid_files.sh b/bin/hardening/12.11_find_sgid_files.sh index 9cc815c..fa6a02e 100755 --- a/bin/hardening/12.11_find_sgid_files.sh +++ b/bin/hardening/12.11_find_sgid_files.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Find SGID system executables." # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/12.1_etc_passwd_permissions.sh b/bin/hardening/12.1_etc_passwd_permissions.sh index e4b7601..a286b9b 100755 --- a/bin/hardening/12.1_etc_passwd_permissions.sh +++ b/bin/hardening/12.1_etc_passwd_permissions.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="Check permissions on /etc/passwd to 644." FILE='/etc/passwd' PERMISSIONS='644' diff --git a/bin/hardening/12.2_etc_shadow_permissions.sh b/bin/hardening/12.2_etc_shadow_permissions.sh index 7fa454b..4bb4693 100755 --- a/bin/hardening/12.2_etc_shadow_permissions.sh +++ b/bin/hardening/12.2_etc_shadow_permissions.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="Check permissions on /etc/shadow to 640." FILE='/etc/shadow' PERMISSIONS='640' diff --git a/bin/hardening/12.3_etc_group_permissions.sh b/bin/hardening/12.3_etc_group_permissions.sh index 0853bb9..c1fb2a5 100755 --- a/bin/hardening/12.3_etc_group_permissions.sh +++ b/bin/hardening/12.3_etc_group_permissions.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="Check permissions on /etc/group to 644." FILE='/etc/group' PERMISSIONS='644' diff --git a/bin/hardening/12.4_etc_passwd_ownership.sh b/bin/hardening/12.4_etc_passwd_ownership.sh index 953a188..f163c1a 100755 --- a/bin/hardening/12.4_etc_passwd_ownership.sh +++ b/bin/hardening/12.4_etc_passwd_ownership.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="Check user/group to root on /etc/passwd." FILE='/etc/passwd' USER='root' diff --git a/bin/hardening/12.5_etc_shadow_ownership.sh b/bin/hardening/12.5_etc_shadow_ownership.sh index dd48293..41d2557 100755 --- a/bin/hardening/12.5_etc_shadow_ownership.sh +++ b/bin/hardening/12.5_etc_shadow_ownership.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="Check user/group to root on etc/shadow." FILE='/etc/shadow' USER='root' diff --git a/bin/hardening/12.6_etc_group_ownership.sh b/bin/hardening/12.6_etc_group_ownership.sh index dd30070..a50fc84 100755 --- a/bin/hardening/12.6_etc_group_ownership.sh +++ b/bin/hardening/12.6_etc_group_ownership.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="Check user/group to root on /etc/group." FILE='/etc/group' USER='root' diff --git a/bin/hardening/12.7_find_world_writable_file.sh b/bin/hardening/12.7_find_world_writable_file.sh index 6e24538..8819baf 100755 --- a/bin/hardening/12.7_find_world_writable_file.sh +++ b/bin/hardening/12.7_find_world_writable_file.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Find world writable files." # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/12.8_find_unowned_files.sh b/bin/hardening/12.8_find_unowned_files.sh index 8079917..75397a5 100755 --- a/bin/hardening/12.8_find_unowned_files.sh +++ b/bin/hardening/12.8_find_unowned_files.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Find un-owned files and directories." USER='root' diff --git a/bin/hardening/12.9_find_ungrouped_files.sh b/bin/hardening/12.9_find_ungrouped_files.sh index 57175e7..42f6406 100755 --- a/bin/hardening/12.9_find_ungrouped_files.sh +++ b/bin/hardening/12.9_find_ungrouped_files.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Find un-grouped files and directories." GROUP='root' diff --git a/bin/hardening/13.10_find_user_rhosts_files.sh b/bin/hardening/13.10_find_user_rhosts_files.sh index 5cb905a..8392d41 100755 --- a/bin/hardening/13.10_find_user_rhosts_files.sh +++ b/bin/hardening/13.10_find_user_rhosts_files.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="No user's .rhosts file." ERRORS=0 FILENAME=".rhosts" diff --git a/bin/hardening/13.11_find_passwd_group_inconsistencies.sh b/bin/hardening/13.11_find_passwd_group_inconsistencies.sh index 4c23b5d..cfffdce 100755 --- a/bin/hardening/13.11_find_passwd_group_inconsistencies.sh +++ b/bin/hardening/13.11_find_passwd_group_inconsistencies.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="There is no group in /etc/passwd that is not in /etc/group." ERRORS=0 diff --git a/bin/hardening/13.12_users_valid_homedir.sh b/bin/hardening/13.12_users_valid_homedir.sh index 4a1ab61..0a065dc 100755 --- a/bin/hardening/13.12_users_valid_homedir.sh +++ b/bin/hardening/13.12_users_valid_homedir.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Users are assigned valid home directories." ERRORS=0 diff --git a/bin/hardening/13.13_check_user_homedir_ownership.sh b/bin/hardening/13.13_check_user_homedir_ownership.sh index a716d87..33b6ef9 100755 --- a/bin/hardening/13.13_check_user_homedir_ownership.sh +++ b/bin/hardening/13.13_check_user_homedir_ownership.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Check user home directory ownership." ERRORS=0 diff --git a/bin/hardening/13.14_check_duplicate_uid.sh b/bin/hardening/13.14_check_duplicate_uid.sh index 58f88c1..59d4db6 100755 --- a/bin/hardening/13.14_check_duplicate_uid.sh +++ b/bin/hardening/13.14_check_duplicate_uid.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="There is no duplicate UIDs." ERRORS=0 diff --git a/bin/hardening/13.15_check_duplicate_gid.sh b/bin/hardening/13.15_check_duplicate_gid.sh index 335f662..cfbe04c 100755 --- a/bin/hardening/13.15_check_duplicate_gid.sh +++ b/bin/hardening/13.15_check_duplicate_gid.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="There is no duplicate GIDs." ERRORS=0 diff --git a/bin/hardening/13.16_check_duplicate_username.sh b/bin/hardening/13.16_check_duplicate_username.sh index fd618e8..520dc4a 100755 --- a/bin/hardening/13.16_check_duplicate_username.sh +++ b/bin/hardening/13.16_check_duplicate_username.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="There is no duplicate usernames." ERRORS=0 diff --git a/bin/hardening/13.17_check_duplicate_groupname.sh b/bin/hardening/13.17_check_duplicate_groupname.sh index f3db785..433fbde 100755 --- a/bin/hardening/13.17_check_duplicate_groupname.sh +++ b/bin/hardening/13.17_check_duplicate_groupname.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="There is no duplicate group names." ERRORS=0 diff --git a/bin/hardening/13.18_find_user_netrc_files.sh b/bin/hardening/13.18_find_user_netrc_files.sh index 695713d..b84c9d2 100755 --- a/bin/hardening/13.18_find_user_netrc_files.sh +++ b/bin/hardening/13.18_find_user_netrc_files.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="There is no user .netrc files." ERRORS=0 FILENAME='.netrc' diff --git a/bin/hardening/13.19_find_user_forward_files.sh b/bin/hardening/13.19_find_user_forward_files.sh index 46fb5e1..701ec1f 100755 --- a/bin/hardening/13.19_find_user_forward_files.sh +++ b/bin/hardening/13.19_find_user_forward_files.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="There is no user .forward files." ERRORS=0 FILENAME='.forward' diff --git a/bin/hardening/13.1_remove_empty_password_field.sh b/bin/hardening/13.1_remove_empty_password_field.sh index f86c395..56d4caa 100755 --- a/bin/hardening/13.1_remove_empty_password_field.sh +++ b/bin/hardening/13.1_remove_empty_password_field.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="Ensure password fields are not empty in /etc/shadow." FILE='/etc/shadow' diff --git a/bin/hardening/13.20_shadow_group_empty.sh b/bin/hardening/13.20_shadow_group_empty.sh index 9ab097b..4019ed7 100755 --- a/bin/hardening/13.20_shadow_group_empty.sh +++ b/bin/hardening/13.20_shadow_group_empty.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="There is no user in shadow group (that can read /etc/shadow file)." ERRORS=0 FILEGROUP='/etc/group' diff --git a/bin/hardening/13.2_remove_legacy_passwd_entries.sh b/bin/hardening/13.2_remove_legacy_passwd_entries.sh index ea24350..23d3291 100755 --- a/bin/hardening/13.2_remove_legacy_passwd_entries.sh +++ b/bin/hardening/13.2_remove_legacy_passwd_entries.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="Verify no legacy + entries exist in /etc/password file." FILE='/etc/passwd' RESULT='' diff --git a/bin/hardening/13.3_remove_legacy_shadow_entries.sh b/bin/hardening/13.3_remove_legacy_shadow_entries.sh index f4d4b6f..b38c08a 100755 --- a/bin/hardening/13.3_remove_legacy_shadow_entries.sh +++ b/bin/hardening/13.3_remove_legacy_shadow_entries.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="Verify no legacy + entries exist in /etc/shadow file." FILE='/etc/shadow' RESULT='' diff --git a/bin/hardening/13.4_remove_legacy_group_entries.sh b/bin/hardening/13.4_remove_legacy_group_entries.sh index 7796eec..ca9fc65 100755 --- a/bin/hardening/13.4_remove_legacy_group_entries.sh +++ b/bin/hardening/13.4_remove_legacy_group_entries.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="Verify no legacy + entries exist in /etc/group file." FILE='/etc/group' RESULT='' diff --git a/bin/hardening/13.5_find_0_uid_non_root_account.sh b/bin/hardening/13.5_find_0_uid_non_root_account.sh index 9a4a93d..89c7093 100755 --- a/bin/hardening/13.5_find_0_uid_non_root_account.sh +++ b/bin/hardening/13.5_find_0_uid_non_root_account.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Verify root is the only UID 0 account." FILE='/etc/passwd' RESULT='' diff --git a/bin/hardening/13.6_sanitize_root_path.sh b/bin/hardening/13.6_sanitize_root_path.sh index 9ba92a8..f68b85e 100755 --- a/bin/hardening/13.6_sanitize_root_path.sh +++ b/bin/hardening/13.6_sanitize_root_path.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Ensure root path integrity." ERRORS=0 diff --git a/bin/hardening/13.7_check_user_dir_perm.sh b/bin/hardening/13.7_check_user_dir_perm.sh index d8b8a01..6641959 100755 --- a/bin/hardening/13.7_check_user_dir_perm.sh +++ b/bin/hardening/13.7_check_user_dir_perm.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Check permissions on user home directories." ERRORS=0 diff --git a/bin/hardening/13.8_check_user_dot_file_perm.sh b/bin/hardening/13.8_check_user_dot_file_perm.sh index bd0e711..2e18678 100755 --- a/bin/hardening/13.8_check_user_dot_file_perm.sh +++ b/bin/hardening/13.8_check_user_dot_file_perm.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Check user dot file permissions." ERRORS=0 diff --git a/bin/hardening/13.9_set_perm_on_user_netrc.sh b/bin/hardening/13.9_set_perm_on_user_netrc.sh index f3bc1f6..cd7bc00 100755 --- a/bin/hardening/13.9_set_perm_on_user_netrc.sh +++ b/bin/hardening/13.9_set_perm_on_user_netrc.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Check user permissions on .netrc file." PERMISSIONS="600" ERRORS=0 diff --git a/bin/hardening/2.10_home_nodev.sh b/bin/hardening/2.10_home_nodev.sh index 5ba1ee2..780ad58 100755 --- a/bin/hardening/2.10_home_nodev.sh +++ b/bin/hardening/2.10_home_nodev.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="/home partition with nodev option." # Quick factoring as many script use the same logic PARTITION="/home" diff --git a/bin/hardening/2.11_removable_device_nodev.sh b/bin/hardening/2.11_removable_device_nodev.sh index 83dfcbb..5533c8c 100755 --- a/bin/hardening/2.11_removable_device_nodev.sh +++ b/bin/hardening/2.11_removable_device_nodev.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="nodev option for removable media partitions." # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive diff --git a/bin/hardening/2.12_removable_device_noexec.sh b/bin/hardening/2.12_removable_device_noexec.sh index 2fe2b5b..37b889d 100755 --- a/bin/hardening/2.12_removable_device_noexec.sh +++ b/bin/hardening/2.12_removable_device_noexec.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="noexec option for removable media partitions." # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive diff --git a/bin/hardening/2.13_removable_device_nosuid.sh b/bin/hardening/2.13_removable_device_nosuid.sh index 0cb4947..2e0b872 100755 --- a/bin/hardening/2.13_removable_device_nosuid.sh +++ b/bin/hardening/2.13_removable_device_nosuid.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="nosuid option for removable media partitions." # Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive diff --git a/bin/hardening/2.14_run_shm_nodev.sh b/bin/hardening/2.14_run_shm_nodev.sh index 5f93d2d..2880627 100755 --- a/bin/hardening/2.14_run_shm_nodev.sh +++ b/bin/hardening/2.14_run_shm_nodev.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="/run/shm with nodev option." # Quick factoring as many script use the same logic PARTITION="/run/shm" diff --git a/bin/hardening/2.15_run_shm_nosuid.sh b/bin/hardening/2.15_run_shm_nosuid.sh index 046eae2..fc755db 100755 --- a/bin/hardening/2.15_run_shm_nosuid.sh +++ b/bin/hardening/2.15_run_shm_nosuid.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="/run/shm with nosuid option." # Quick factoring as many script use the same logic PARTITION="/run/shm" diff --git a/bin/hardening/2.16_run_shm_noexec.sh b/bin/hardening/2.16_run_shm_noexec.sh index ee2ea30..9b0c0f0 100755 --- a/bin/hardening/2.16_run_shm_noexec.sh +++ b/bin/hardening/2.16_run_shm_noexec.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="/run/shm with noexec option." # Quick factoring as many script use the same logic PARTITION="/run/shm" diff --git a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh index 68ee59d..dbf6524 100755 --- a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them." # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/2.18_disable_cramfs.sh b/bin/hardening/2.18_disable_cramfs.sh index 2fc2ce4..498e565 100755 --- a/bin/hardening/2.18_disable_cramfs.sh +++ b/bin/hardening/2.18_disable_cramfs.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable mounting of cramfs filesystems." KERNEL_OPTION="CONFIG_CRAMFS" MODULE_NAME="cramfs" diff --git a/bin/hardening/2.19_disable_freevxfs.sh b/bin/hardening/2.19_disable_freevxfs.sh index 9e4961c..8e21b2f 100755 --- a/bin/hardening/2.19_disable_freevxfs.sh +++ b/bin/hardening/2.19_disable_freevxfs.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable mounting of freevxfs filesystems." KERNEL_OPTION="CONFIG_VXFS_FS" MODULE_NAME="freevxfs" diff --git a/bin/hardening/2.1_tmp_partition.sh b/bin/hardening/2.1_tmp_partition.sh index b020f5e..ff2ee88 100755 --- a/bin/hardening/2.1_tmp_partition.sh +++ b/bin/hardening/2.1_tmp_partition.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="/tmp on a separate partition." # Quick factoring as many script use the same logic PARTITION="/tmp" diff --git a/bin/hardening/2.20_disable_jffs2.sh b/bin/hardening/2.20_disable_jffs2.sh index c0ee9b1..1080b0f 100755 --- a/bin/hardening/2.20_disable_jffs2.sh +++ b/bin/hardening/2.20_disable_jffs2.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable mounting of jffs2 filesystems." KERNEL_OPTION="CONFIG_JFFS2_FS" MODULE_NAME="jffs2" diff --git a/bin/hardening/2.21_disable_hfs.sh b/bin/hardening/2.21_disable_hfs.sh index 7de876f..f468eb7 100755 --- a/bin/hardening/2.21_disable_hfs.sh +++ b/bin/hardening/2.21_disable_hfs.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable mounting of hfs filesystems." KERNEL_OPTION="CONFIG_HFS_FS" MODULE_FILE="hfs" diff --git a/bin/hardening/2.22_disable_hfsplus.sh b/bin/hardening/2.22_disable_hfsplus.sh index 5b4cb32..3cc5ff4 100755 --- a/bin/hardening/2.22_disable_hfsplus.sh +++ b/bin/hardening/2.22_disable_hfsplus.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable mounting of hfsplus filesystems." KERNEL_OPTION="CONFIG_HFSPLUS_FS" MODULE_FILE="hfsplus" diff --git a/bin/hardening/2.23_disable_squashfs.sh b/bin/hardening/2.23_disable_squashfs.sh index 1727f8d..af9e660 100755 --- a/bin/hardening/2.23_disable_squashfs.sh +++ b/bin/hardening/2.23_disable_squashfs.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable mounting of squashfs filesytems." KERNEL_OPTION="CONFIG_SQUASHFS" MODULE_FILE="squashfs" diff --git a/bin/hardening/2.24_disable_udf.sh b/bin/hardening/2.24_disable_udf.sh index bde19b0..ccb6b12 100755 --- a/bin/hardening/2.24_disable_udf.sh +++ b/bin/hardening/2.24_disable_udf.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable mounting of udf filesystems." KERNEL_OPTION="CONFIG_UDF_FS" MODULE_FILE="udf" diff --git a/bin/hardening/2.25_disable_automounting.sh b/bin/hardening/2.25_disable_automounting.sh index 31c28e3..385574c 100755 --- a/bin/hardening/2.25_disable_automounting.sh +++ b/bin/hardening/2.25_disable_automounting.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable automounting of devices." SERVICE_NAME="autofs" diff --git a/bin/hardening/2.2_tmp_nodev.sh b/bin/hardening/2.2_tmp_nodev.sh index 1e907d4..ad5060e 100755 --- a/bin/hardening/2.2_tmp_nodev.sh +++ b/bin/hardening/2.2_tmp_nodev.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="/tmp partition with nodev option." # Quick factoring as many script use the same logic PARTITION="/tmp" diff --git a/bin/hardening/2.3_tmp_nosuid.sh b/bin/hardening/2.3_tmp_nosuid.sh index f7acf9a..2a30f6a 100755 --- a/bin/hardening/2.3_tmp_nosuid.sh +++ b/bin/hardening/2.3_tmp_nosuid.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="/tmp partition with nosuid option." # Quick factoring as many script use the same logic PARTITION="/tmp" diff --git a/bin/hardening/2.4_tmp_noexec.sh b/bin/hardening/2.4_tmp_noexec.sh index bb3ec2a..9b3d8f4 100755 --- a/bin/hardening/2.4_tmp_noexec.sh +++ b/bin/hardening/2.4_tmp_noexec.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="/tmp partition with noexec option." # Quick factoring as many script use the same logic PARTITION="/tmp" diff --git a/bin/hardening/2.5_var_partition.sh b/bin/hardening/2.5_var_partition.sh index bae4c98..50d0c9a 100755 --- a/bin/hardening/2.5_var_partition.sh +++ b/bin/hardening/2.5_var_partition.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="/var on a separate partition." # Quick factoring as many script use the same logic PARTITION="/var" diff --git a/bin/hardening/2.6.1_var_tmp_partition.sh b/bin/hardening/2.6.1_var_tmp_partition.sh index 51828ce..4acc7f3 100755 --- a/bin/hardening/2.6.1_var_tmp_partition.sh +++ b/bin/hardening/2.6.1_var_tmp_partition.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="/var/tmp on a separate partition." # Quick factoring as many script use the same logic PARTITION="/var/tmp" diff --git a/bin/hardening/2.6.2_var_tmp_nodev.sh b/bin/hardening/2.6.2_var_tmp_nodev.sh index 78a4180..131b063 100755 --- a/bin/hardening/2.6.2_var_tmp_nodev.sh +++ b/bin/hardening/2.6.2_var_tmp_nodev.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="/var/tmp partition with nodev option." # Quick factoring as many script use the same logic PARTITION="/var/tmp" diff --git a/bin/hardening/2.6.3_var_tmp_nosuid.sh b/bin/hardening/2.6.3_var_tmp_nosuid.sh index d4e0dd3..e1e5882 100755 --- a/bin/hardening/2.6.3_var_tmp_nosuid.sh +++ b/bin/hardening/2.6.3_var_tmp_nosuid.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="/var/tmp partition with nosuid option." # Quick factoring as many script use the same logic PARTITION="/var/tmp" diff --git a/bin/hardening/2.6.4_var_tmp_noexec.sh b/bin/hardening/2.6.4_var_tmp_noexec.sh index 2a7e421..f980674 100755 --- a/bin/hardening/2.6.4_var_tmp_noexec.sh +++ b/bin/hardening/2.6.4_var_tmp_noexec.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="/var/tmp partition with noexec option." # Quick factoring as many script use the same logic PARTITION="/var/tmp" diff --git a/bin/hardening/2.7_var_log_partition.sh b/bin/hardening/2.7_var_log_partition.sh index e48fef4..98c9c1f 100755 --- a/bin/hardening/2.7_var_log_partition.sh +++ b/bin/hardening/2.7_var_log_partition.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="/var/log on separate partition." # Quick factoring as many script use the same logic PARTITION="/var/log" diff --git a/bin/hardening/2.8_var_log_audit_partition.sh b/bin/hardening/2.8_var_log_audit_partition.sh index e1e0132..6f5b700 100755 --- a/bin/hardening/2.8_var_log_audit_partition.sh +++ b/bin/hardening/2.8_var_log_audit_partition.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="/var/log/audit on a separate partition." # Quick factoring as many script use the same logic PARTITION="/var/log/audit" diff --git a/bin/hardening/2.9_home_partition.sh b/bin/hardening/2.9_home_partition.sh index 8257a14..0201ba0 100755 --- a/bin/hardening/2.9_home_partition.sh +++ b/bin/hardening/2.9_home_partition.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="/home on a separate partition." # Quick factoring as many script use the same logic PARTITION="/home" diff --git a/bin/hardening/3.1_bootloader_ownership.sh b/bin/hardening/3.1_bootloader_ownership.sh index 912b482..14f9a37 100755 --- a/bin/hardening/3.1_bootloader_ownership.sh +++ b/bin/hardening/3.1_bootloader_ownership.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="User and group root owner of grub bootloader config." # Assertion : Grub Based. diff --git a/bin/hardening/3.2_bootloader_permissions.sh b/bin/hardening/3.2_bootloader_permissions.sh index c8eea41..8afbe1d 100755 --- a/bin/hardening/3.2_bootloader_permissions.sh +++ b/bin/hardening/3.2_bootloader_permissions.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="Permissions for root only on grub bootloader config." # Assertion : Grub Based. diff --git a/bin/hardening/3.3_bootloader_password.sh b/bin/hardening/3.3_bootloader_password.sh index eb72bc9..084f1ae 100755 --- a/bin/hardening/3.3_bootloader_password.sh +++ b/bin/hardening/3.3_bootloader_password.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Setting bootloader password to secure boot parameters." FILE='/boot/grub/grub.cfg' USER_PATTERN="^set superusers" diff --git a/bin/hardening/3.4_root_password.sh b/bin/hardening/3.4_root_password.sh index 0aa1d38..d5a8133 100755 --- a/bin/hardening/3.4_root_password.sh +++ b/bin/hardening/3.4_root_password.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Root password for single user mode." FILE="/etc/shadow" PATTERN="^root:[*\!]:" diff --git a/bin/hardening/4.1_restrict_core_dumps.sh b/bin/hardening/4.1_restrict_core_dumps.sh index 345c6ac..df206b3 100755 --- a/bin/hardening/4.1_restrict_core_dumps.sh +++ b/bin/hardening/4.1_restrict_core_dumps.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Restrict core dumps." LIMIT_FILE='/etc/security/limits.conf' LIMIT_DIR='/etc/security/limits.d' diff --git a/bin/hardening/4.2_enable_nx_support.sh b/bin/hardening/4.2_enable_nx_support.sh index f41bb4e..01bb2b0 100755 --- a/bin/hardening/4.2_enable_nx_support.sh +++ b/bin/hardening/4.2_enable_nx_support.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Enable NoExecute/ExecuteDisable to prevent buffer overflow attacks." PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active' diff --git a/bin/hardening/4.3_enable_randomized_vm_placement.sh b/bin/hardening/4.3_enable_randomized_vm_placement.sh index 1a31001..0eda3b1 100755 --- a/bin/hardening/4.3_enable_randomized_vm_placement.sh +++ b/bin/hardening/4.3_enable_randomized_vm_placement.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Enable Randomized Virtual Memory Region Placement to prevent memory page exploits." SYSCTL_PARAM='kernel.randomize_va_space' SYSCTL_EXP_RESULT=2 diff --git a/bin/hardening/4.4_disable_prelink.sh b/bin/hardening/4.4_disable_prelink.sh index da3017e..8fd23df 100755 --- a/bin/hardening/4.4_disable_prelink.sh +++ b/bin/hardening/4.4_disable_prelink.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable prelink to prevent libraries compromission." PACKAGE='prelink' diff --git a/bin/hardening/4.5_enable_apparmor.sh b/bin/hardening/4.5_enable_apparmor.sh index 56db83e..5389f9f 100755 --- a/bin/hardening/4.5_enable_apparmor.sh +++ b/bin/hardening/4.5_enable_apparmor.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Activate AppArmor to enforce permissions control." PACKAGE='apparmor' diff --git a/bin/hardening/5.1.1_disable_nis.sh b/bin/hardening/5.1.1_disable_nis.sh index a700f50..a5493a8 100755 --- a/bin/hardening/5.1.1_disable_nis.sh +++ b/bin/hardening/5.1.1_disable_nis.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP." PACKAGE='nis' diff --git a/bin/hardening/5.1.2_disable_rsh.sh b/bin/hardening/5.1.2_disable_rsh.sh index fdcdad5..4ecce4b 100755 --- a/bin/hardening/5.1.2_disable_rsh.sh +++ b/bin/hardening/5.1.2_disable_rsh.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Ensure rsh server is not enabled. Recommended alternative : sshd (openssh-server)." # Based on aptitude search '~Prsh-server' PACKAGES='rsh-server rsh-redone-server heimdal-servers' diff --git a/bin/hardening/5.1.3_disable_rsh_client.sh b/bin/hardening/5.1.3_disable_rsh_client.sh index 56f7aea..989707e 100755 --- a/bin/hardening/5.1.3_disable_rsh_client.sh +++ b/bin/hardening/5.1.3_disable_rsh_client.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh." # Based on aptitude search '~Prsh-client', exluding ssh-client OFC PACKAGES='rsh-client rsh-redone-client heimdal-clients' diff --git a/bin/hardening/5.1.4_disable_talk.sh b/bin/hardening/5.1.4_disable_talk.sh index 6486378..651fba3 100755 --- a/bin/hardening/5.1.4_disable_talk.sh +++ b/bin/hardening/5.1.4_disable_talk.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Ensure talk server is not enabled." PACKAGES='inetutils-talkd talkd' FILE='/etc/inetd.conf' diff --git a/bin/hardening/5.1.5_disable_talk_client.sh b/bin/hardening/5.1.5_disable_talk_client.sh index c20a6a9..fb34ea4 100755 --- a/bin/hardening/5.1.5_disable_talk_client.sh +++ b/bin/hardening/5.1.5_disable_talk_client.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Ensure talk client is not installed." PACKAGES='talk inetutils-talk' diff --git a/bin/hardening/5.1.6_disable_telnet_server.sh b/bin/hardening/5.1.6_disable_telnet_server.sh index 421022b..dd55b5e 100755 --- a/bin/hardening/5.1.6_disable_telnet_server.sh +++ b/bin/hardening/5.1.6_disable_telnet_server.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Ensure telnet server is not enabled. Recommended alternative : sshd (OpenSSH-server)." # Based on aptitude search '~Ptelnet-server' PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers' diff --git a/bin/hardening/5.1.7_disable_tftp_server.sh b/bin/hardening/5.1.7_disable_tftp_server.sh index e9f1e86..5dbbee2 100755 --- a/bin/hardening/5.1.7_disable_tftp_server.sh +++ b/bin/hardening/5.1.7_disable_tftp_server.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Ensure tftp-server is not enabled." PACKAGES='tftpd tftpd-hpa atftpd' FILE='/etc/inetd.conf' diff --git a/bin/hardening/5.1.8_disable_inetd.sh b/bin/hardening/5.1.8_disable_inetd.sh index 0c36249..0374fec 100755 --- a/bin/hardening/5.1.8_disable_inetd.sh +++ b/bin/hardening/5.1.8_disable_inetd.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Ensure xinetd is not enabled." PACKAGES='openbsd-inetd xinetd rlinetd' diff --git a/bin/hardening/5.2_disable_chargen.sh b/bin/hardening/5.2_disable_chargen.sh index 2b715fa..d660264 100755 --- a/bin/hardening/5.2_disable_chargen.sh +++ b/bin/hardening/5.2_disable_chargen.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Ensure chargen debugging network service is not enabled." FILE='/etc/inetd.conf' PATTERN='^chargen' diff --git a/bin/hardening/5.3_disable_daytime.sh b/bin/hardening/5.3_disable_daytime.sh index 933e8a0..874eba7 100755 --- a/bin/hardening/5.3_disable_daytime.sh +++ b/bin/hardening/5.3_disable_daytime.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Ensure daytime debugging network service is not enabled." FILE='/etc/inetd.conf' PATTERN='^daytime' diff --git a/bin/hardening/5.4_disable_echo.sh b/bin/hardening/5.4_disable_echo.sh index 7cc3fe3..4f28a9d 100755 --- a/bin/hardening/5.4_disable_echo.sh +++ b/bin/hardening/5.4_disable_echo.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Ensure echo debugging network service is not enabled." FILE='/etc/inetd.conf' PATTERN='^echo' diff --git a/bin/hardening/5.5_disable_discard.sh b/bin/hardening/5.5_disable_discard.sh index 6a7f821..34808bf 100755 --- a/bin/hardening/5.5_disable_discard.sh +++ b/bin/hardening/5.5_disable_discard.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Ensure discard debugging network service is not enabled." FILE='/etc/inetd.conf' PATTERN='^discard' diff --git a/bin/hardening/5.6_disable_time.sh b/bin/hardening/5.6_disable_time.sh index fc95166..df7468e 100755 --- a/bin/hardening/5.6_disable_time.sh +++ b/bin/hardening/5.6_disable_time.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Ensure time debugging network service is not enabled." FILE='/etc/inetd.conf' PATTERN='^time' diff --git a/bin/hardening/6.10_disable_http_server.sh b/bin/hardening/6.10_disable_http_server.sh index b9db475..be6efb0 100755 --- a/bin/hardening/6.10_disable_http_server.sh +++ b/bin/hardening/6.10_disable_http_server.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Ensure HTTP server is not enabled." HARDENING_EXCEPTION=http # Based on aptitude search '~Phttpd' diff --git a/bin/hardening/6.11_disable_imap_pop.sh b/bin/hardening/6.11_disable_imap_pop.sh index c6a6add..e817d9a 100755 --- a/bin/hardening/6.11_disable_imap_pop.sh +++ b/bin/hardening/6.11_disable_imap_pop.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Ensure IMAP and POP servers are not enabled." HARDENING_EXCEPTION=mail # Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server' diff --git a/bin/hardening/6.12_disable_samba.sh b/bin/hardening/6.12_disable_samba.sh index 3efbf66..e760b3b 100755 --- a/bin/hardening/6.12_disable_samba.sh +++ b/bin/hardening/6.12_disable_samba.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Ensure Samba is not enabled." HARDENING_EXCEPTION=samba PACKAGES='samba' diff --git a/bin/hardening/6.13_disable_http_proxy.sh b/bin/hardening/6.13_disable_http_proxy.sh index 1747a23..e061f0e 100755 --- a/bin/hardening/6.13_disable_http_proxy.sh +++ b/bin/hardening/6.13_disable_http_proxy.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Ensure HTTP-proxy is not enabled." HARDENING_EXCEPTION=http PACKAGES='squid3 squid' diff --git a/bin/hardening/6.14_disable_snmp_server.sh b/bin/hardening/6.14_disable_snmp_server.sh index 5d89d41..064583b 100755 --- a/bin/hardening/6.14_disable_snmp_server.sh +++ b/bin/hardening/6.14_disable_snmp_server.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Enure SNMP server is not enabled." HARDENING_EXCEPTION=snmp PACKAGES='snmpd' diff --git a/bin/hardening/6.15_mta_localhost.sh b/bin/hardening/6.15_mta_localhost.sh index 1ef1d9c..3eaf397 100755 --- a/bin/hardening/6.15_mta_localhost.sh +++ b/bin/hardening/6.15_mta_localhost.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode." HARDENING_EXCEPTION=mail # This function will be called if the script status is on enabled / audit mode diff --git a/bin/hardening/6.16_disable_rsync.sh b/bin/hardening/6.16_disable_rsync.sh index 32b77fa..b8a02cb 100755 --- a/bin/hardening/6.16_disable_rsync.sh +++ b/bin/hardening/6.16_disable_rsync.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Ensure rsync service is not enabled." HARDENING_EXCEPTION=rsync PACKAGE='rsync' diff --git a/bin/hardening/6.1_disable_xwindow_system.sh b/bin/hardening/6.1_disable_xwindow_system.sh index 421cff9..19b64e3 100755 --- a/bin/hardening/6.1_disable_xwindow_system.sh +++ b/bin/hardening/6.1_disable_xwindow_system.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Ensure the X Window system is not installed." HARDENING_EXCEPTION=x11 # Based on aptitude search '~Pxserver' diff --git a/bin/hardening/6.2_disable_avahi_server.sh b/bin/hardening/6.2_disable_avahi_server.sh index cc81eea..edc33e5 100755 --- a/bin/hardening/6.2_disable_avahi_server.sh +++ b/bin/hardening/6.2_disable_avahi_server.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Ensure Avahi server is not enabled." PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7' diff --git a/bin/hardening/6.3_disable_print_server.sh b/bin/hardening/6.3_disable_print_server.sh index 9174deb..2051050 100755 --- a/bin/hardening/6.3_disable_print_server.sh +++ b/bin/hardening/6.3_disable_print_server.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Ensure print server (Common Unix Print System) is not enabled." HARDENING_EXCEPTION=cups PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups' diff --git a/bin/hardening/6.4_disable_dhcp.sh b/bin/hardening/6.4_disable_dhcp.sh index ade7747..cbac80e 100755 --- a/bin/hardening/6.4_disable_dhcp.sh +++ b/bin/hardening/6.4_disable_dhcp.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Ensure DHCP server is not enabled." HARDENING_EXCEPTION=dhcp PACKAGES='udhcpd isc-dhcp-server' diff --git a/bin/hardening/6.5_configure_ntp.sh b/bin/hardening/6.5_configure_ntp.sh index fe022e8..9c51145 100755 --- a/bin/hardening/6.5_configure_ntp.sh +++ b/bin/hardening/6.5_configure_ntp.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user." HARDENING_EXCEPTION=ntp PACKAGE='ntp' diff --git a/bin/hardening/6.6_disable_ldap.sh b/bin/hardening/6.6_disable_ldap.sh index 444ca5b..dc65979 100755 --- a/bin/hardening/6.6_disable_ldap.sh +++ b/bin/hardening/6.6_disable_ldap.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Ensure LDAP is not enabled." HARDENING_EXCEPTION=ldap PACKAGES='slapd' diff --git a/bin/hardening/6.7_disable_nfs_rpc.sh b/bin/hardening/6.7_disable_nfs_rpc.sh index c7ed1a6..f0a7518 100755 --- a/bin/hardening/6.7_disable_nfs_rpc.sh +++ b/bin/hardening/6.7_disable_nfs_rpc.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Ensure Network File System (nfs) and RPC are not enabled." HARDENING_EXCEPTION=nfs PACKAGES='rpcbind nfs-kernel-server' diff --git a/bin/hardening/6.8_disable_dns_server.sh b/bin/hardening/6.8_disable_dns_server.sh index 089ef98..28ab648 100755 --- a/bin/hardening/6.8_disable_dns_server.sh +++ b/bin/hardening/6.8_disable_dns_server.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Ensure Domain Name System (dns) server is not enabled." HARDENING_EXCEPTION=dns PACKAGES='bind9 unbound' diff --git a/bin/hardening/6.9_disable_ftp.sh b/bin/hardening/6.9_disable_ftp.sh index b003d54..3542d89 100755 --- a/bin/hardening/6.9_disable_ftp.sh +++ b/bin/hardening/6.9_disable_ftp.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Ensure File Transfer Protocol (ftp) is not enabled." HARDENING_EXCEPTION=ftp # Based on aptitude search '~Pftp-server' diff --git a/bin/hardening/7.1.1_disable_ip_forwarding.sh b/bin/hardening/7.1.1_disable_ip_forwarding.sh index 5b14d7b..0b43271 100755 --- a/bin/hardening/7.1.1_disable_ip_forwarding.sh +++ b/bin/hardening/7.1.1_disable_ip_forwarding.sh @@ -13,6 +13,7 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 HARDENING_EXCEPTION=gw +DESCRIPTION="Disable IP forwarding." SYSCTL_PARAM='net.ipv4.ip_forward' SYSCTL_EXP_RESULT=0 diff --git a/bin/hardening/7.1.2_disable_send_packet_redirects.sh b/bin/hardening/7.1.2_disable_send_packet_redirects.sh index b53b418..95ae522 100755 --- a/bin/hardening/7.1.2_disable_send_packet_redirects.sh +++ b/bin/hardening/7.1.2_disable_send_packet_redirects.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable send packet redirects to prevent malicious ICMP corruption." #net.ipv4.conf.all.send_redirects = 0 #net.ipv4.conf.default.send_redirects = 0 diff --git a/bin/hardening/7.2.1_disable_source_routed_packets.sh b/bin/hardening/7.2.1_disable_source_routed_packets.sh index 2b6eccd..04696b7 100755 --- a/bin/hardening/7.2.1_disable_source_routed_packets.sh +++ b/bin/hardening/7.2.1_disable_source_routed_packets.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable source routed packet acceptance." SYSCTL_PARAMS='net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0' diff --git a/bin/hardening/7.2.2_disable_icmp_redirect.sh b/bin/hardening/7.2.2_disable_icmp_redirect.sh index c6b4129..2475afe 100755 --- a/bin/hardening/7.2.2_disable_icmp_redirect.sh +++ b/bin/hardening/7.2.2_disable_icmp_redirect.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable ICMP redirect acceptance to prevent routing table corruption." SYSCTL_PARAMS='net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0' diff --git a/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh b/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh index c3a83e3..ad4c3d7 100755 --- a/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh +++ b/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable secure ICMP redirect acceptance to prevent routing tables corruptions." SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0' diff --git a/bin/hardening/7.2.4_log_martian_packets.sh b/bin/hardening/7.2.4_log_martian_packets.sh index 6994964..80db55d 100755 --- a/bin/hardening/7.2.4_log_martian_packets.sh +++ b/bin/hardening/7.2.4_log_martian_packets.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Log suspicious packets, like spoofed packets." SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1' diff --git a/bin/hardening/7.2.5_ignore_broadcast_requests.sh b/bin/hardening/7.2.5_ignore_broadcast_requests.sh index e383bb5..61d630a 100755 --- a/bin/hardening/7.2.5_ignore_broadcast_requests.sh +++ b/bin/hardening/7.2.5_ignore_broadcast_requests.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Ignore broadcast requests to prevent attacks such as Smurf attack." SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1' diff --git a/bin/hardening/7.2.6_enable_bad_error_message_protection.sh b/bin/hardening/7.2.6_enable_bad_error_message_protection.sh index f020d88..0302bd8 100755 --- a/bin/hardening/7.2.6_enable_bad_error_message_protection.sh +++ b/bin/hardening/7.2.6_enable_bad_error_message_protection.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Enable bad error message protection to prevent logfiles fillup." SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1' diff --git a/bin/hardening/7.2.7_enable_source_route_validation.sh b/bin/hardening/7.2.7_enable_source_route_validation.sh index fd1b062..2c2eeca 100755 --- a/bin/hardening/7.2.7_enable_source_route_validation.sh +++ b/bin/hardening/7.2.7_enable_source_route_validation.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Enable RFC-recommended source route validation." SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1' diff --git a/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh b/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh index 7d65932..f55b11e 100755 --- a/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh +++ b/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Enable TCP-SYN cookie to prevent TCP-SYN flood attack." SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1' diff --git a/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh b/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh index e0cba8f..43aba7d 100755 --- a/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh +++ b/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable IPv6 router advertisements." SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0' diff --git a/bin/hardening/7.3.2_disable_ipv6_redirect.sh b/bin/hardening/7.3.2_disable_ipv6_redirect.sh index 7eeff05..a759263 100755 --- a/bin/hardening/7.3.2_disable_ipv6_redirect.sh +++ b/bin/hardening/7.3.2_disable_ipv6_redirect.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable IPv6 redirect acceptance." SYSCTL_PARAMS='net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0' diff --git a/bin/hardening/7.3.3_disable_ipv6.sh b/bin/hardening/7.3.3_disable_ipv6.sh index 74c8090..925fd39 100755 --- a/bin/hardening/7.3.3_disable_ipv6.sh +++ b/bin/hardening/7.3.3_disable_ipv6.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable IPv6." SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1' diff --git a/bin/hardening/7.4.1_install_tcp_wrapper.sh b/bin/hardening/7.4.1_install_tcp_wrapper.sh index 1bf05b9..4852b06 100755 --- a/bin/hardening/7.4.1_install_tcp_wrapper.sh +++ b/bin/hardening/7.4.1_install_tcp_wrapper.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Install TCP wrappers for simple access list management and standardized logging method for services." PACKAGE='tcpd' diff --git a/bin/hardening/7.4.2_hosts_allow.sh b/bin/hardening/7.4.2_hosts_allow.sh index 8933004..d482913 100755 --- a/bin/hardening/7.4.2_hosts_allow.sh +++ b/bin/hardening/7.4.2_hosts_allow.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Create /etc/hosts.allow ." FILE='/etc/hosts.allow' diff --git a/bin/hardening/7.4.3_hosts_allow_permissions.sh b/bin/hardening/7.4.3_hosts_allow_permissions.sh index 40522be..057712e 100755 --- a/bin/hardening/7.4.3_hosts_allow_permissions.sh +++ b/bin/hardening/7.4.3_hosts_allow_permissions.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Check 644 permissions on /hosts.allow ." FILE='/etc/hosts.allow' PERMISSIONS='644' diff --git a/bin/hardening/7.4.4_hosts_deny.sh b/bin/hardening/7.4.4_hosts_deny.sh index 674d5d8..c523441 100755 --- a/bin/hardening/7.4.4_hosts_deny.sh +++ b/bin/hardening/7.4.4_hosts_deny.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Create /etc/hosts.deny ." FILE='/etc/hosts.deny' PATTERN='ALL: ALL' diff --git a/bin/hardening/7.4.5_hosts_deny_permissions.sh b/bin/hardening/7.4.5_hosts_deny_permissions.sh index 3e9d09a..582151b 100755 --- a/bin/hardening/7.4.5_hosts_deny_permissions.sh +++ b/bin/hardening/7.4.5_hosts_deny_permissions.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Check 644 permissions on /etc/hosts.deny ." FILE='/etc/hosts.deny' PERMISSIONS='644' diff --git a/bin/hardening/7.5.1_disable_dccp.sh b/bin/hardening/7.5.1_disable_dccp.sh index 1df20c9..7d772f3 100755 --- a/bin/hardening/7.5.1_disable_dccp.sh +++ b/bin/hardening/7.5.1_disable_dccp.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable Datagram Congestion Control Protocol (DCCP)." # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/7.5.2_disable_sctp.sh b/bin/hardening/7.5.2_disable_sctp.sh index b0c6785..8be6403 100755 --- a/bin/hardening/7.5.2_disable_sctp.sh +++ b/bin/hardening/7.5.2_disable_sctp.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable Stream Control Transmission Protocol (SCTP)." # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/7.5.3_disable_rds.sh b/bin/hardening/7.5.3_disable_rds.sh index e567c75..00770cd 100755 --- a/bin/hardening/7.5.3_disable_rds.sh +++ b/bin/hardening/7.5.3_disable_rds.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable Reliable Datagram Sockets (RDS)." # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/7.5.4_disable_tipc.sh b/bin/hardening/7.5.4_disable_tipc.sh index a83a5ff..c40846b 100755 --- a/bin/hardening/7.5.4_disable_tipc.sh +++ b/bin/hardening/7.5.4_disable_tipc.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable Transperent Inter-Process Communication (TIPC)." # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/7.6_disable_wireless.sh b/bin/hardening/7.6_disable_wireless.sh index ee77136..676129e 100755 --- a/bin/hardening/7.6_disable_wireless.sh +++ b/bin/hardening/7.6_disable_wireless.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Deactivate wireless interfaces." # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/7.7_enable_firewall.sh b/bin/hardening/7.7_enable_firewall.sh index 7de9fb6..26b523c 100755 --- a/bin/hardening/7.7_enable_firewall.sh +++ b/bin/hardening/7.7_enable_firewall.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)." # Quick note here : CIS recommends your iptables rules to be persistent. # Do as you want, but this script does not handle this diff --git a/bin/hardening/8.0_enable_auditd_kernel.sh b/bin/hardening/8.0_enable_auditd_kernel.sh index da07c15..d32bbe0 100755 --- a/bin/hardening/8.0_enable_auditd_kernel.sh +++ b/bin/hardening/8.0_enable_auditd_kernel.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Ensure CONFIG_AUDIT is enabled in your running kernel." # Note : Not part of the CIS guide, but what's the point of configuring software not compatible with your kernel? :) diff --git a/bin/hardening/8.1.1.1_audit_log_storage.sh b/bin/hardening/8.1.1.1_audit_log_storage.sh index e83ad66..1564992 100755 --- a/bin/hardening/8.1.1.1_audit_log_storage.sh +++ b/bin/hardening/8.1.1.1_audit_log_storage.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Configure audit log storage size." FILE='/etc/audit/auditd.conf' PATTERN='max_log_file' diff --git a/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh index 59255be..6a7d0ce 100755 --- a/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh +++ b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Disable system on audit log full." FILE='/etc/audit/auditd.conf' OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt' diff --git a/bin/hardening/8.1.1.3_keep_all_audit_logs.sh b/bin/hardening/8.1.1.3_keep_all_audit_logs.sh index 46ac4d7..d2addad 100755 --- a/bin/hardening/8.1.1.3_keep_all_audit_logs.sh +++ b/bin/hardening/8.1.1.3_keep_all_audit_logs.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Keep all auditing information." FILE='/etc/audit/auditd.conf' OPTIONS='max_log_file_action=keep_logs' diff --git a/bin/hardening/8.1.10_record_dac_edit.sh b/bin/hardening/8.1.10_record_dac_edit.sh index 467c766..a1dc939 100755 --- a/bin/hardening/8.1.10_record_dac_edit.sh +++ b/bin/hardening/8.1.10_record_dac_edit.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Collect discretionary access control (DAC) permission modification events." AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod diff --git a/bin/hardening/8.1.11_record_failed_access_file.sh b/bin/hardening/8.1.11_record_failed_access_file.sh index aad2351..ca06f1e 100755 --- a/bin/hardening/8.1.11_record_failed_access_file.sh +++ b/bin/hardening/8.1.11_record_failed_access_file.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Collect unsuccessful unauthorized access attemps to files." AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access diff --git a/bin/hardening/8.1.12_record_privileged_commands.sh b/bin/hardening/8.1.12_record_privileged_commands.sh index 95e03f4..ca852b0 100755 --- a/bin/hardening/8.1.12_record_privileged_commands.sh +++ b/bin/hardening/8.1.12_record_privileged_commands.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Collect use of privileged commands." # Find all files with setuid or setgid set SUDO_CMD='sudo -n' diff --git a/bin/hardening/8.1.13_record_successful_mount.sh b/bin/hardening/8.1.13_record_successful_mount.sh index d66c00d..3606d89 100755 --- a/bin/hardening/8.1.13_record_successful_mount.sh +++ b/bin/hardening/8.1.13_record_successful_mount.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Collect sucessfull file system mounts." AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' diff --git a/bin/hardening/8.1.14_record_file_deletions.sh b/bin/hardening/8.1.14_record_file_deletions.sh index 1889103..b0a12eb 100755 --- a/bin/hardening/8.1.14_record_file_deletions.sh +++ b/bin/hardening/8.1.14_record_file_deletions.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Collects file deletion events by users." AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' diff --git a/bin/hardening/8.1.15_record_sudoers_edit.sh b/bin/hardening/8.1.15_record_sudoers_edit.sh index ea3ebd9..09e15af 100755 --- a/bin/hardening/8.1.15_record_sudoers_edit.sh +++ b/bin/hardening/8.1.15_record_sudoers_edit.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Collect changes to system administration scopre." AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers -w /etc/sudoers.d/ -p wa -k sudoers' diff --git a/bin/hardening/8.1.16_record_sudo_usage.sh b/bin/hardening/8.1.16_record_sudo_usage.sh index ede8754..349bbee 100755 --- a/bin/hardening/8.1.16_record_sudo_usage.sh +++ b/bin/hardening/8.1.16_record_sudo_usage.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Collect system administration actions (sudolog)." AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction' FILE='/etc/audit/audit.rules' diff --git a/bin/hardening/8.1.17_record_kernel_modules.sh b/bin/hardening/8.1.17_record_kernel_modules.sh index deb14f4..ecea60b 100755 --- a/bin/hardening/8.1.17_record_kernel_modules.sh +++ b/bin/hardening/8.1.17_record_kernel_modules.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Collect kernel module loading and unloading." AUDIT_PARAMS='-w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules diff --git a/bin/hardening/8.1.18_freeze_auditd_conf.sh b/bin/hardening/8.1.18_freeze_auditd_conf.sh index f6ce1ed..74a739d 100755 --- a/bin/hardening/8.1.18_freeze_auditd_conf.sh +++ b/bin/hardening/8.1.18_freeze_auditd_conf.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Make the audit configuration immutable." AUDIT_PARAMS='-e 2' FILE='/etc/audit/audit.rules' diff --git a/bin/hardening/8.1.2_enable_auditd.sh b/bin/hardening/8.1.2_enable_auditd.sh index 908d64c..4bd321c 100755 --- a/bin/hardening/8.1.2_enable_auditd.sh +++ b/bin/hardening/8.1.2_enable_auditd.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Ensure auditd service is installed and running." PACKAGE='auditd' SERVICE_NAME='auditd' diff --git a/bin/hardening/8.1.3_audit_bootloader.sh b/bin/hardening/8.1.3_audit_bootloader.sh index 96bb93f..0903310 100755 --- a/bin/hardening/8.1.3_audit_bootloader.sh +++ b/bin/hardening/8.1.3_audit_bootloader.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Enable auditing for processes that start prior to auditd." FILE='/etc/default/grub' OPTIONS='GRUB_CMDLINE_LINUX="audit=1"' diff --git a/bin/hardening/8.1.4_record_date_time_edit.sh b/bin/hardening/8.1.4_record_date_time_edit.sh index 3110963..679d035 100755 --- a/bin/hardening/8.1.4_record_date_time_edit.sh +++ b/bin/hardening/8.1.4_record_date_time_edit.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Record events taht modify date and time information." AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change diff --git a/bin/hardening/8.1.5_record_user_group_edit.sh b/bin/hardening/8.1.5_record_user_group_edit.sh index a1762a7..4523346 100755 --- a/bin/hardening/8.1.5_record_user_group_edit.sh +++ b/bin/hardening/8.1.5_record_user_group_edit.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Record events that modify user/group information." AUDIT_PARAMS='-w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity diff --git a/bin/hardening/8.1.6_record_network_edit.sh b/bin/hardening/8.1.6_record_network_edit.sh index 22e8533..d40f8d6 100755 --- a/bin/hardening/8.1.6_record_network_edit.sh +++ b/bin/hardening/8.1.6_record_network_edit.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Record events that modify the system's network environment." AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale diff --git a/bin/hardening/8.1.7_record_mac_edit.sh b/bin/hardening/8.1.7_record_mac_edit.sh index 9a26de8..2bbf2f2 100755 --- a/bin/hardening/8.1.7_record_mac_edit.sh +++ b/bin/hardening/8.1.7_record_mac_edit.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)." AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy' FILE='/etc/audit/audit.rules' diff --git a/bin/hardening/8.1.8_record_login_logout.sh b/bin/hardening/8.1.8_record_login_logout.sh index 7f886d1..349ed2d 100755 --- a/bin/hardening/8.1.8_record_login_logout.sh +++ b/bin/hardening/8.1.8_record_login_logout.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Collect login and logout events." AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins diff --git a/bin/hardening/8.1.9_record_session_init.sh b/bin/hardening/8.1.9_record_session_init.sh index 9616a4b..ce724cf 100755 --- a/bin/hardening/8.1.9_record_session_init.sh +++ b/bin/hardening/8.1.9_record_session_init.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Collec sessions initiation information." AUDIT_PARAMS='-w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session diff --git a/bin/hardening/8.2.1_install_syslog-ng.sh b/bin/hardening/8.2.1_install_syslog-ng.sh index 83b549e..430c0ef 100755 --- a/bin/hardening/8.2.1_install_syslog-ng.sh +++ b/bin/hardening/8.2.1_install_syslog-ng.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Install syslog-ng package." # NB : in CIS, rsyslog has been chosen, however we chose syslog-ng PACKAGE='syslog-ng' diff --git a/bin/hardening/8.2.2_enable_syslog-ng.sh b/bin/hardening/8.2.2_enable_syslog-ng.sh index 5b08173..ae9b037 100755 --- a/bin/hardening/8.2.2_enable_syslog-ng.sh +++ b/bin/hardening/8.2.2_enable_syslog-ng.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Ensure syslog-ng service is activated." SERVICE_NAME="syslog-ng" diff --git a/bin/hardening/8.2.3_configure_syslog-ng.sh b/bin/hardening/8.2.3_configure_syslog-ng.sh index a8a31d2..b32abe2 100755 --- a/bin/hardening/8.2.3_configure_syslog-ng.sh +++ b/bin/hardening/8.2.3_configure_syslog-ng.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Configure /etc/syslog-ng/syslog-ng.conf ." SERVICE_NAME="syslog-ng" diff --git a/bin/hardening/8.2.4_set_logfile_perm.sh b/bin/hardening/8.2.4_set_logfile_perm.sh index 88566b5..f730a53 100755 --- a/bin/hardening/8.2.4_set_logfile_perm.sh +++ b/bin/hardening/8.2.4_set_logfile_perm.sh @@ -5,13 +5,14 @@ # # -# 8.2.4 Create and Set Permissions on rsyslog Log Files (Scored) +# 8.2.4 Create and Set Permissions on syslog-ng Log Files (Scored) # set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Create and set permissions on syslog-ng logfiles." PERMISSIONS='640' USER='root' diff --git a/bin/hardening/8.2.5_syslog-ng_remote_host.sh b/bin/hardening/8.2.5_syslog-ng_remote_host.sh index 20112aa..82a6db0 100755 --- a/bin/hardening/8.2.5_syslog-ng_remote_host.sh +++ b/bin/hardening/8.2.5_syslog-ng_remote_host.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Configure syslog-ng to send logs to a remote log host." PATTERN='^destination.*(tcp|udp)[[:space:]]*\([[:space:]]*\".*\"[[:space:]]*\)' diff --git a/bin/hardening/8.2.6_remote_syslog-ng_acl.sh b/bin/hardening/8.2.6_remote_syslog-ng_acl.sh index 7d27831..653295e 100755 --- a/bin/hardening/8.2.6_remote_syslog-ng_acl.sh +++ b/bin/hardening/8.2.6_remote_syslog-ng_acl.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Configure syslog to accept remote syslog messages only on designated log hosts." # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/8.3.1_install_tripwire.sh b/bin/hardening/8.3.1_install_tripwire.sh index cc24616..4d6544d 100755 --- a/bin/hardening/8.3.1_install_tripwire.sh +++ b/bin/hardening/8.3.1_install_tripwire.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Ensure tripwire package is installed." # NB : in CIS, AIDE has been chosen, however we chose tripwire PACKAGE='tripwire' diff --git a/bin/hardening/8.3.2_tripwire_cron.sh b/bin/hardening/8.3.2_tripwire_cron.sh index 6c09836..1f09d5a 100755 --- a/bin/hardening/8.3.2_tripwire_cron.sh +++ b/bin/hardening/8.3.2_tripwire_cron.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 +DESCRIPTION="Implemet periodic execution of file integrity." FILES='/etc/crontab /etc/cron.d/*' PATTERN='tripwire --check' diff --git a/bin/hardening/8.4_configure_logrotate.sh b/bin/hardening/8.4_configure_logrotate.sh index 585d0f6..fc8f1ee 100755 --- a/bin/hardening/8.4_configure_logrotate.sh +++ b/bin/hardening/8.4_configure_logrotate.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Configure logrotate to prevent logfile from growing unmanageable." SERVICE_NAME="syslog-ng" diff --git a/bin/hardening/9.1.1_enable_cron.sh b/bin/hardening/9.1.1_enable_cron.sh index 405428f..0c34cf1 100755 --- a/bin/hardening/9.1.1_enable_cron.sh +++ b/bin/hardening/9.1.1_enable_cron.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Cron package is installed and enabled." PACKAGE="cron" SERVICE_NAME="cron" diff --git a/bin/hardening/9.1.2_crontab_perm_ownership.sh b/bin/hardening/9.1.2_crontab_perm_ownership.sh index b88a902..7791fed 100755 --- a/bin/hardening/9.1.2_crontab_perm_ownership.sh +++ b/bin/hardening/9.1.2_crontab_perm_ownership.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="User/Group set to root and permissions to 600 on /etc/crontab ." FILE='/etc/crontab' PERMISSIONS='600' diff --git a/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh b/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh index 416139d..79f36eb 100755 --- a/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh +++ b/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="User/Group set to root and permissions to 700 on /etc/cron.hourly ." FILE='/etc/cron.hourly' PERMISSIONS='700' diff --git a/bin/hardening/9.1.4_cron_daily_perm_ownership.sh b/bin/hardening/9.1.4_cron_daily_perm_ownership.sh index fe5a179..cf11ffd 100755 --- a/bin/hardening/9.1.4_cron_daily_perm_ownership.sh +++ b/bin/hardening/9.1.4_cron_daily_perm_ownership.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="User/group set to root and permissions to 700 on /etc/cron.daily ." FILE='/etc/cron.daily' PERMISSIONS='700' diff --git a/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh b/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh index d38b827..f678d97 100755 --- a/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh +++ b/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="User/group set to root and permissions to 700 on /etc/cron.weekly ." FILE='/etc/cron.weekly' PERMISSIONS='700' diff --git a/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh b/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh index 752c256..39a5ccc 100755 --- a/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh +++ b/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="User/group set to root and permissions to 700 on /etc/cron.monthly ." FILE='/etc/cron.monthly' PERMISSIONS='700' diff --git a/bin/hardening/9.1.7_cron_d_perm_ownership.sh b/bin/hardening/9.1.7_cron_d_perm_ownership.sh index 9e6092c..7578a99 100755 --- a/bin/hardening/9.1.7_cron_d_perm_ownership.sh +++ b/bin/hardening/9.1.7_cron_d_perm_ownership.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="User/group set to root and permissions to 700 on /etc/cron.d ." FILE='/etc/cron.d' PERMISSIONS='700' diff --git a/bin/hardening/9.1.8_cron_users.sh b/bin/hardening/9.1.8_cron_users.sh index add1a1a..9b2c4b6 100755 --- a/bin/hardening/9.1.8_cron_users.sh +++ b/bin/hardening/9.1.8_cron_users.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Restrict at/cron to authorized users." FILES_ABSENT='/etc/cron.deny /etc/at.deny' FILES_PRESENT='/etc/cron.allow /etc/at.allow' diff --git a/bin/hardening/9.2.1_enable_cracklib.sh b/bin/hardening/9.2.1_enable_cracklib.sh index e62b467..a65ce58 100755 --- a/bin/hardening/9.2.1_enable_cracklib.sh +++ b/bin/hardening/9.2.1_enable_cracklib.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Set password creation requirement parameters using pam.cracklib." PACKAGE='libpam-cracklib' PATTERN='^password.*pam_cracklib.so' diff --git a/bin/hardening/9.2.2_enable_lockout_failed_password.sh b/bin/hardening/9.2.2_enable_lockout_failed_password.sh index cfe611f..4f2fd74 100755 --- a/bin/hardening/9.2.2_enable_lockout_failed_password.sh +++ b/bin/hardening/9.2.2_enable_lockout_failed_password.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Set lockout for failed password attemps." PACKAGE='libpam-modules-bin' PATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?.so' diff --git a/bin/hardening/9.2.3_limit_password_reuse.sh b/bin/hardening/9.2.3_limit_password_reuse.sh index 532f08f..becaca3 100755 --- a/bin/hardening/9.2.3_limit_password_reuse.sh +++ b/bin/hardening/9.2.3_limit_password_reuse.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Limit password reuse." PACKAGE='libpam-modules' PATTERN='^password.*remember' diff --git a/bin/hardening/9.3.10_disable_sshd_setenv.sh b/bin/hardening/9.3.10_disable_sshd_setenv.sh index 990e6d8..54dae3f 100755 --- a/bin/hardening/9.3.10_disable_sshd_setenv.sh +++ b/bin/hardening/9.3.10_disable_sshd_setenv.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Do not allow users to set environment options." PACKAGE='openssh-server' OPTIONS='PermitUserEnvironment=no' diff --git a/bin/hardening/9.3.11_sshd_ciphers.sh b/bin/hardening/9.3.11_sshd_ciphers.sh index 6c0a592..18a4f4d 100755 --- a/bin/hardening/9.3.11_sshd_ciphers.sh +++ b/bin/hardening/9.3.11_sshd_ciphers.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Use only approved ciphers in counter mode (ctr) or Galois counter mode (gcm)." PACKAGE='openssh-server' OPTIONS='Ciphers=chacha20-poly1305@openssh\.com,aes256-gcm@openssh\.com,aes128-gcm@openssh\.com,aes256-ctr,aes192-ctr,aes128-ctr' diff --git a/bin/hardening/9.3.12_sshd_idle_timeout.sh b/bin/hardening/9.3.12_sshd_idle_timeout.sh index bf2a2b7..36bfff2 100755 --- a/bin/hardening/9.3.12_sshd_idle_timeout.sh +++ b/bin/hardening/9.3.12_sshd_idle_timeout.sh @@ -13,6 +13,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Set Idle Timeout Interval for user login." PACKAGE='openssh-server' FILE='/etc/ssh/sshd_config' diff --git a/bin/hardening/9.3.13_sshd_limit_access.sh b/bin/hardening/9.3.13_sshd_limit_access.sh index f87d23f..40f7ce4 100755 --- a/bin/hardening/9.3.13_sshd_limit_access.sh +++ b/bin/hardening/9.3.13_sshd_limit_access.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Limite access via SSH by (dis)allowing specific users or groups." PACKAGE='openssh-server' FILE='/etc/ssh/sshd_config' diff --git a/bin/hardening/9.3.14_ssh_banner.sh b/bin/hardening/9.3.14_ssh_banner.sh index 86c3410..0bba372 100755 --- a/bin/hardening/9.3.14_ssh_banner.sh +++ b/bin/hardening/9.3.14_ssh_banner.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Set ssh banner." PACKAGE='openssh-server' FILE='/etc/ssh/sshd_config' diff --git a/bin/hardening/9.3.1_sshd_protocol.sh b/bin/hardening/9.3.1_sshd_protocol.sh index 26ee7d7..003b03b 100755 --- a/bin/hardening/9.3.1_sshd_protocol.sh +++ b/bin/hardening/9.3.1_sshd_protocol.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Set secure shell (SSH) protocol to 2." PACKAGE='openssh-server' OPTIONS='Protocol=2' diff --git a/bin/hardening/9.3.2_sshd_loglevel.sh b/bin/hardening/9.3.2_sshd_loglevel.sh index 7f614e3..644cbea 100755 --- a/bin/hardening/9.3.2_sshd_loglevel.sh +++ b/bin/hardening/9.3.2_sshd_loglevel.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Set LogLevel to INFO for SSH." PACKAGE='openssh-server' OPTIONS='LogLevel=INFO' diff --git a/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh b/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh index 0de46eb..c24ae81 100755 --- a/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh +++ b/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 +DESCRIPTION="Checking permissions and ownership to root 600 for sshd_config." FILE='/etc/ssh/sshd_config' PERMISSIONS='600' diff --git a/bin/hardening/9.3.4_disable_x11_forwarding.sh b/bin/hardening/9.3.4_disable_x11_forwarding.sh index e865062..7315ea4 100755 --- a/bin/hardening/9.3.4_disable_x11_forwarding.sh +++ b/bin/hardening/9.3.4_disable_x11_forwarding.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Disable SSH X11 forwarding." PACKAGE='openssh-server' OPTIONS='X11Forwarding=no' diff --git a/bin/hardening/9.3.5_sshd_maxauthtries.sh b/bin/hardening/9.3.5_sshd_maxauthtries.sh index fd0aa36..7c7fff8 100755 --- a/bin/hardening/9.3.5_sshd_maxauthtries.sh +++ b/bin/hardening/9.3.5_sshd_maxauthtries.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Set SSH MaxAuthTries to 4." PACKAGE='openssh-server' OPTIONS='MaxAuthTries=4' diff --git a/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh b/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh index ff50d7a..d54e5b1 100755 --- a/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh +++ b/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Set SSH IgnoreRhosts to Yes." PACKAGE='openssh-server' OPTIONS='IgnoreRhosts=yes' diff --git a/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh b/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh index f902c2a..412591e 100755 --- a/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh +++ b/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Set SSH HostbasedAUthentication to No." PACKAGE='openssh-server' OPTIONS='HostbasedAuthentication=no' diff --git a/bin/hardening/9.3.8_disable_root_login.sh b/bin/hardening/9.3.8_disable_root_login.sh index a22f717..0dd27d0 100755 --- a/bin/hardening/9.3.8_disable_root_login.sh +++ b/bin/hardening/9.3.8_disable_root_login.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Disable SSH Root Login." PACKAGE='openssh-server' OPTIONS='PermitRootLogin=no' diff --git a/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh b/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh index be0ae71..382274c 100755 --- a/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh +++ b/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +DESCRIPTION="Set SSH PermitEmptyPasswords to No in order to disallow SSH login to accounts with empty password strigs." PACKAGE='openssh-server' OPTIONS='PermitEmptyPasswords=no' diff --git a/bin/hardening/9.4_secure_tty.sh b/bin/hardening/9.4_secure_tty.sh index aa7cd56..e6e6e99 100755 --- a/bin/hardening/9.4_secure_tty.sh +++ b/bin/hardening/9.4_secure_tty.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Restrict root login to system console." FILE='/etc/securetty' diff --git a/bin/hardening/9.5_restrict_su.sh b/bin/hardening/9.5_restrict_su.sh index d86ba33..ca675a2 100755 --- a/bin/hardening/9.5_restrict_su.sh +++ b/bin/hardening/9.5_restrict_su.sh @@ -12,6 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 +DESCRIPTION="Restrict access to su command." PACKAGE='login' PATTERN='^auth[[:space:]]*required[[:space:]]*pam_wheel.so' diff --git a/bin/hardening/99.1_timeout_tty.sh b/bin/hardening/99.1_timeout_tty.sh index f1c25e8..bde9879 100755 --- a/bin/hardening/99.1_timeout_tty.sh +++ b/bin/hardening/99.1_timeout_tty.sh @@ -12,9 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over USER='root' +DESCRIPTION="Timeout 600 seconds on tty." + PATTERN='TMOUT=' VALUE='600' -FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile' +FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile .' FILE='/etc/profile.d/CIS_99.1_timeout.sh' # This function will be called if the script status is on enabled / audit mode diff --git a/bin/hardening/99.2_disable_usb_devices.sh b/bin/hardening/99.2_disable_usb_devices.sh index d8399f2..3a3c760 100755 --- a/bin/hardening/99.2_disable_usb_devices.sh +++ b/bin/hardening/99.2_disable_usb_devices.sh @@ -12,6 +12,8 @@ set -e # One error, it's over set -u # One variable unset, it's over USER='root' +DESCRIPTION="USB devices are disabled." + PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' # We do test disabled by default, whitelist is up to you FILES_TO_SEARCH='/etc/udev/rules.d' FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh' diff --git a/lib/common.sh b/lib/common.sh index 9d819ba..35dae91 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -58,17 +58,29 @@ cecho () { } crit () { - if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger $BRED "[ KO ] $*"; fi + if [ ${BATCH_MODE:-0} -eq 1 ]; then + BATCH_OUTPUT="$BATCH_OUTPUT KO{$*}" + else + if [ $MACHINE_LOG_LEVEL -ge 1 ]; then _logger $BRED "[ KO ] $*"; fi + fi # This variable incrementation is used to measure failure or success in tests CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER+1)) } warn () { - if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger $BYELLOW "[WARN] $*"; fi + if [ ${BATCH_MODE:-0} -eq 1 ]; then + BATCH_OUTPUT="$BATCH_OUTPUT WARN{$*}" + else + if [ $MACHINE_LOG_LEVEL -ge 2 ]; then _logger $BYELLOW "[WARN] $*"; fi + fi } ok () { - if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger $BGREEN "[ OK ] $*"; fi + if [ ${BATCH_MODE:-0} -eq 1 ]; then + BATCH_OUTPUT="$BATCH_OUTPUT OK{$*}" + else + if [ $MACHINE_LOG_LEVEL -ge 3 ]; then _logger $BGREEN "[ OK ] $*"; fi + fi } info () { diff --git a/lib/main.sh b/lib/main.sh index 38d8e5e..5e0b0c4 100644 --- a/lib/main.sh +++ b/lib/main.sh @@ -2,6 +2,8 @@ LONG_SCRIPT_NAME=$(basename $0) SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} # Variable initialization, to avoid crash CRITICAL_ERRORS_NUMBER=0 # This will be used to see if a script failed, or passed +BATCH_MODE=0 +BATCH_OUTPUT="" status="" forcedstatus="" SUDO_CMD="" @@ -14,8 +16,6 @@ SUDO_CMD="" # Environment Sanitizing export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' -info "Working on $SCRIPT_NAME" - # Arguments parsing while [[ $# > 0 ]]; do ARG="$1" @@ -35,6 +35,12 @@ while [[ $# > 0 ]]; do --sudo) SUDO_CMD="sudo -n" ;; + --batch) + debug "Auditing in batch mode, will limit output by setting LOGLEVEL to 'ok'." + BATCH_MODE=1 + LOGLEVEL=ok + [ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh + ;; *) debug "Unknown option passed" ;; @@ -42,6 +48,9 @@ while [[ $# > 0 ]]; do shift done +info "Working on $SCRIPT_NAME" +info "[DESCRIPTION] $DESCRIPTION" + # Source specific configuration file if ! [ -r $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_NAME.cfg ] ; then # If it doesn't exist, create it with default values @@ -72,9 +81,11 @@ fi if [ -z $status ]; then crit "Could not find status variable for $SCRIPT_NAME, considered as disabled" + exit 2 fi + case $status in enabled | true ) info "Checking Configuration" @@ -99,10 +110,20 @@ case $status in ;; esac -if [ $CRITICAL_ERRORS_NUMBER = 0 ]; then - ok "Check Passed" +if [ $CRITICAL_ERRORS_NUMBER -eq 0 ]; then + if [ $BATCH_MODE -eq 1 ]; then + BATCH_OUTPUT="OK $SCRIPT_NAME $BATCH_OUTPUT" + echo $BATCH_OUTPUT + else + ok "Check Passed" + fi exit 0 # Means ok status else - crit "Check Failed" + if [ $BATCH_MODE -eq 1 ]; then + BATCH_OUTPUT="KO $SCRIPT_NAME $BATCH_OUTPUT" + echo $BATCH_OUTPUT + else + crit "Check Failed" + fi exit 1 # Means critical status fi