elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 05:27:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools

Browse Source 
Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main
Update README with --batch mode info
Add --batch mode in hardening.sh

Change summary to make it oneliner when batch mode
AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74
This commit is contained in:
Charles Herlin 2017-10-31 17:44:15 +01:00
parent 8a7f9ddad5
commit 67df4da781
195 changed files with 283 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -85,6 +85,10 @@ specific root read-only files. You need to provide a sudoers file in /etc/sudoer
with NOPASWD option, since checks are executed with ``sudo -n`` option, that will
not prompt for a password.
``--batch``: While performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like :
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
## Hacking
**Getting the source**

37
bin/hardening.sh
View File

@ -23,6 +23,7 @@ AUDIT_ALL_ENABLE_PASSED=0
ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0
SUDO_MODE=''
BATCH_MODE=''
usage() {
cat << EOF
@ -91,6 +92,11 @@ OPTIONS:
the '-n' option instructs sudo not to prompt for a password.
Finally note that '--sudo' mode only works for audit mode.
--batch
While performing system audit, this option sets LOGLEVEL to 'ok' and
captures all output to print only one line once the check is done, formatted like :
OK|KO OK|KO|WARN{subcheck results} [OK|KO|WARN{...}]
EOF
exit 0
}
@ -135,6 +141,10 @@ while [[ $# > 0 ]]; do
--sudo)
SUDO_MODE='--sudo'
;;
--batch)
BATCH_MODE='--batch'
LOGLEVEL=ok
;;
-h|--help)
usage
;;
@ -160,6 +170,8 @@ fi
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
if [ $BATCH_MODE ]; then MACHINE_LOG_LEVEL=3; fi
# If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
declare -a HARDENING_EXCEPTIONS_LIST
@ -208,14 +220,14 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
info "Treating $SCRIPT"
if [ $AUDIT = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE"
$SCRIPT --audit $SUDO_MODE
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE $BATCH_MODE"
$SCRIPT --audit $SUDO_MODE $BATCH_MODE
elif [ $AUDIT_ALL = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE"
$SCRIPT --audit-all $SUDO_MODE
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE"
$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE"
$SCRIPT --audit-all $SUDO_MODE
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE" $BATCH_MODE
$SCRIPT --audit-all $SUDO_MODE $BATCH_MODE
elif [ $APPLY = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
$SCRIPT
@ -250,6 +262,18 @@ done
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
if [ $BATCH_MODE ]; then
BATCH_SUMMARY="AUDIT_SUMMARY "
BATCH_SUMMARY+="PASSED_CHECKS:${PASSED_CHECKS:-0} "
BATCH_SUMMARY+="RUN_CHECKS:${TOTAL_TREATED_CHECKS:-0} "
BATCH_SUMMARY+="TOTAL_CHECKS_AVAIL:${TOTAL_CHECKS:-0}"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:$(printf "%.2f" $( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l))"
else
BATCH_SUMMARY+=" CONFORMITY_PERCENTAGE:N.A" # No check runned, avoid division by 0
fi
echo $BATCH_SUMMARY
else
printf "%40s\n" "################### SUMMARY ###################"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
@ -261,3 +285,4 @@ if [ $TOTAL_TREATED_CHECKS != 0 ]; then
else
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
fi
fi

1
bin/hardening/1.1_install_updates.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Install updates, patches and additional secutiry software."
# This function will be called if the script status is on enabled / audit mode
audit () {

1
bin/hardening/10.1.1_set_password_exp_days.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Set password expiration days."
PACKAGE='login'
OPTIONS='PASS_MAX_DAYS=90'

1
bin/hardening/10.1.2_set_password_min_days_change.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Set password change minimum number of days."
PACKAGE='login'
OPTIONS='PASS_MIN_DAYS=7'

1
bin/hardening/10.1.3_set_password_exp_warning_days.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Set password expiration warning days."
PACKAGE='login'
OPTIONS='PASS_WARN_AGE=7'

1
bin/hardening/10.2_disable_system_accounts.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Disable system accounts, preventing them from interactive login."
SHELL='/bin/false'
FILE='/etc/passwd'

1
bin/hardening/10.3_default_root_group.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Set default group for root account to 0."
USER='root'
EXPECTED_GID='0'

1
bin/hardening/10.4_default_umask.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Set default mask for users to 077."
USER='root'
PATTERN='umask 077'

1
bin/hardening/10.5_lock_inactive_user_account.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Lock inactive user accounts."
# This function will be called if the script status is on enabled / audit mode
audit () {

1
bin/hardening/11.1_warning_banners.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Checking root ownership and 644 permissions on banner files : /etc/motd|issue|issue.net ."
PERMISSIONS='644'
USER='root'

1
bin/hardening/11.2_remove_os_info_warning_banners.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Remove OS information from Login Warning Banners."
FILES='/etc/motd /etc/issue /etc/issue.net'
PATTERN='(\\v|\\r|\\m|\\s)'

1
bin/hardening/11.3_graphical_warning_banners.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Set graphical warning banner."
# This function will be called if the script status is on enabled / audit mode
audit () {

1
bin/hardening/12.10_find_suid_files.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Find SUID system executables."
# This function will be called if the script status is on enabled / audit mode
audit () {

1
bin/hardening/12.11_find_sgid_files.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Find SGID system executables."
# This function will be called if the script status is on enabled / audit mode
audit () {

1
bin/hardening/12.1_etc_passwd_permissions.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
DESCRIPTION="Check permissions on /etc/passwd to 644."
FILE='/etc/passwd'
PERMISSIONS='644'

1
bin/hardening/12.2_etc_shadow_permissions.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
DESCRIPTION="Check permissions on /etc/shadow to 640."
FILE='/etc/shadow'
PERMISSIONS='640'

1
bin/hardening/12.3_etc_group_permissions.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
DESCRIPTION="Check permissions on /etc/group to 644."
FILE='/etc/group'
PERMISSIONS='644'

1
bin/hardening/12.4_etc_passwd_ownership.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
DESCRIPTION="Check user/group to root on /etc/passwd."
FILE='/etc/passwd'
USER='root'

1
bin/hardening/12.5_etc_shadow_ownership.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
DESCRIPTION="Check user/group to root on etc/shadow."
FILE='/etc/shadow'
USER='root'

1
bin/hardening/12.6_etc_group_ownership.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
DESCRIPTION="Check user/group to root on /etc/group."
FILE='/etc/group'
USER='root'

1
bin/hardening/12.7_find_world_writable_file.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Find world writable files."
# This function will be called if the script status is on enabled / audit mode
audit () {

1
bin/hardening/12.8_find_unowned_files.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Find un-owned files and directories."
USER='root'

1
bin/hardening/12.9_find_ungrouped_files.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Find un-grouped files and directories."
GROUP='root'

1
bin/hardening/13.10_find_user_rhosts_files.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="No user's .rhosts file."
ERRORS=0
FILENAME=".rhosts"

1
bin/hardening/13.11_find_passwd_group_inconsistencies.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="There is no group in /etc/passwd that is not in /etc/group."
ERRORS=0

1
bin/hardening/13.12_users_valid_homedir.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Users are assigned valid home directories."
ERRORS=0

1
bin/hardening/13.13_check_user_homedir_ownership.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Check user home directory ownership."
ERRORS=0

1
bin/hardening/13.14_check_duplicate_uid.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="There is no duplicate UIDs."
ERRORS=0

1
bin/hardening/13.15_check_duplicate_gid.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="There is no duplicate GIDs."
ERRORS=0

1
bin/hardening/13.16_check_duplicate_username.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
DESCRIPTION="There is no duplicate usernames."
ERRORS=0

1
bin/hardening/13.17_check_duplicate_groupname.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
DESCRIPTION="There is no duplicate group names."
ERRORS=0

1
bin/hardening/13.18_find_user_netrc_files.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="There is no user .netrc files."
ERRORS=0
FILENAME='.netrc'

1
bin/hardening/13.19_find_user_forward_files.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="There is no user .forward files."
ERRORS=0
FILENAME='.forward'

1
bin/hardening/13.1_remove_empty_password_field.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
DESCRIPTION="Ensure password fields are not empty in /etc/shadow."
FILE='/etc/shadow'

1
bin/hardening/13.20_shadow_group_empty.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
DESCRIPTION="There is no user in shadow group (that can read /etc/shadow file)."
ERRORS=0
FILEGROUP='/etc/group'

1
bin/hardening/13.2_remove_legacy_passwd_entries.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
DESCRIPTION="Verify no legacy + entries exist in /etc/password file."
FILE='/etc/passwd'
RESULT=''

1
bin/hardening/13.3_remove_legacy_shadow_entries.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
DESCRIPTION="Verify no legacy + entries exist in /etc/shadow file."
FILE='/etc/shadow'
RESULT=''

1
bin/hardening/13.4_remove_legacy_group_entries.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
DESCRIPTION="Verify no legacy + entries exist in /etc/group file."
FILE='/etc/group'
RESULT=''

1
bin/hardening/13.5_find_0_uid_non_root_account.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Verify root is the only UID 0 account."
FILE='/etc/passwd'
RESULT=''

1
bin/hardening/13.6_sanitize_root_path.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure root path integrity."
ERRORS=0

1
bin/hardening/13.7_check_user_dir_perm.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Check permissions on user home directories."
ERRORS=0

1
bin/hardening/13.8_check_user_dot_file_perm.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Check user dot file permissions."
ERRORS=0

1
bin/hardening/13.9_set_perm_on_user_netrc.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Check user permissions on .netrc file."
PERMISSIONS="600"
ERRORS=0

1
bin/hardening/2.10_home_nodev.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="/home partition with nodev option."
# Quick factoring as many script use the same logic
PARTITION="/home"

1
bin/hardening/2.11_removable_device_nodev.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="nodev option for removable media partitions."
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive

1
bin/hardening/2.12_removable_device_noexec.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="noexec option for removable media partitions."
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive

1
bin/hardening/2.13_removable_device_nosuid.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="nosuid option for removable media partitions."
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive

1
bin/hardening/2.14_run_shm_nodev.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="/run/shm with nodev option."
# Quick factoring as many script use the same logic
PARTITION="/run/shm"

1
bin/hardening/2.15_run_shm_nosuid.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="/run/shm with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/run/shm"

1
bin/hardening/2.16_run_shm_noexec.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="/run/shm with noexec option."
# Quick factoring as many script use the same logic
PARTITION="/run/shm"

1
bin/hardening/2.17_sticky_bit_world_writable_folder.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them."
# This function will be called if the script status is on enabled / audit mode
audit () {

1
bin/hardening/2.18_disable_cramfs.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Disable mounting of cramfs filesystems."
KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs"

1
bin/hardening/2.19_disable_freevxfs.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Disable mounting of freevxfs filesystems."
KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs"

1
bin/hardening/2.1_tmp_partition.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="/tmp on a separate partition."
# Quick factoring as many script use the same logic
PARTITION="/tmp"

1
bin/hardening/2.20_disable_jffs2.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Disable mounting of jffs2 filesystems."
KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2"

1
bin/hardening/2.21_disable_hfs.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Disable mounting of hfs filesystems."
KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_FILE="hfs"

1
bin/hardening/2.22_disable_hfsplus.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Disable mounting of hfsplus filesystems."
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_FILE="hfsplus"

1
bin/hardening/2.23_disable_squashfs.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Disable mounting of squashfs filesytems."
KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_FILE="squashfs"

1
bin/hardening/2.24_disable_udf.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Disable mounting of udf filesystems."
KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_FILE="udf"

1
bin/hardening/2.25_disable_automounting.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Disable automounting of devices."
SERVICE_NAME="autofs"

1
bin/hardening/2.2_tmp_nodev.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="/tmp partition with nodev option."
# Quick factoring as many script use the same logic
PARTITION="/tmp"

1
bin/hardening/2.3_tmp_nosuid.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="/tmp partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/tmp"

1
bin/hardening/2.4_tmp_noexec.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="/tmp partition with noexec option."
# Quick factoring as many script use the same logic
PARTITION="/tmp"

1
bin/hardening/2.5_var_partition.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="/var on a separate partition."
# Quick factoring as many script use the same logic
PARTITION="/var"

1
bin/hardening/2.6.1_var_tmp_partition.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="/var/tmp on a separate partition."
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"

1
bin/hardening/2.6.2_var_tmp_nodev.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="/var/tmp partition with nodev option."
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"

1
bin/hardening/2.6.3_var_tmp_nosuid.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="/var/tmp partition with nosuid option."
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"

1
bin/hardening/2.6.4_var_tmp_noexec.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="/var/tmp partition with noexec option."
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"

1
bin/hardening/2.7_var_log_partition.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="/var/log on separate partition."
# Quick factoring as many script use the same logic
PARTITION="/var/log"

1
bin/hardening/2.8_var_log_audit_partition.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
DESCRIPTION="/var/log/audit on a separate partition."
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"

1
bin/hardening/2.9_home_partition.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="/home on a separate partition."
# Quick factoring as many script use the same logic
PARTITION="/home"

1
bin/hardening/3.1_bootloader_ownership.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
DESCRIPTION="User and group root owner of grub bootloader config."
# Assertion : Grub Based.

1
bin/hardening/3.2_bootloader_permissions.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
DESCRIPTION="Permissions for root only on grub bootloader config."
# Assertion : Grub Based.

1
bin/hardening/3.3_bootloader_password.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Setting bootloader password to secure boot parameters."
FILE='/boot/grub/grub.cfg'
USER_PATTERN="^set superusers"

1
bin/hardening/3.4_root_password.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Root password for single user mode."
FILE="/etc/shadow"
PATTERN="^root:[*\!]:"

1
bin/hardening/4.1_restrict_core_dumps.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Restrict core dumps."
LIMIT_FILE='/etc/security/limits.conf'
LIMIT_DIR='/etc/security/limits.d'

1
bin/hardening/4.2_enable_nx_support.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Enable NoExecute/ExecuteDisable to prevent buffer overflow attacks."
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'

1
bin/hardening/4.3_enable_randomized_vm_placement.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Enable Randomized Virtual Memory Region Placement to prevent memory page exploits."
SYSCTL_PARAM='kernel.randomize_va_space'
SYSCTL_EXP_RESULT=2

1
bin/hardening/4.4_disable_prelink.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Disable prelink to prevent libraries compromission."
PACKAGE='prelink'

1
bin/hardening/4.5_enable_apparmor.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Activate AppArmor to enforce permissions control."
PACKAGE='apparmor'

1
bin/hardening/5.1.1_disable_nis.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Ensure that Network Information Service is not installed. Recommended alternative : LDAP."
PACKAGE='nis'

1
bin/hardening/5.1.2_disable_rsh.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure rsh server is not enabled. Recommended alternative : sshd (openssh-server)."
# Based on aptitude search '~Prsh-server'
PACKAGES='rsh-server rsh-redone-server heimdal-servers'

1
bin/hardening/5.1.3_disable_rsh_client.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure rsh client is not installed, Recommended alternative : ssh."
# Based on aptitude search '~Prsh-client', exluding ssh-client OFC
PACKAGES='rsh-client rsh-redone-client heimdal-clients'

1
bin/hardening/5.1.4_disable_talk.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure talk server is not enabled."
PACKAGES='inetutils-talkd talkd'
FILE='/etc/inetd.conf'

1
bin/hardening/5.1.5_disable_talk_client.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure talk client is not installed."
PACKAGES='talk inetutils-talk'

1
bin/hardening/5.1.6_disable_telnet_server.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure telnet server is not enabled. Recommended alternative : sshd (OpenSSH-server)."
# Based on aptitude search '~Ptelnet-server'
PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'

1
bin/hardening/5.1.7_disable_tftp_server.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure tftp-server is not enabled."
PACKAGES='tftpd tftpd-hpa atftpd'
FILE='/etc/inetd.conf'

1
bin/hardening/5.1.8_disable_inetd.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Ensure xinetd is not enabled."
PACKAGES='openbsd-inetd xinetd rlinetd'

1
bin/hardening/5.2_disable_chargen.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure chargen debugging network service is not enabled."
FILE='/etc/inetd.conf'
PATTERN='^chargen'

1
bin/hardening/5.3_disable_daytime.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure daytime debugging network service is not enabled."
FILE='/etc/inetd.conf'
PATTERN='^daytime'

1
bin/hardening/5.4_disable_echo.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure echo debugging network service is not enabled."
FILE='/etc/inetd.conf'
PATTERN='^echo'

1
bin/hardening/5.5_disable_discard.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure discard debugging network service is not enabled."
FILE='/etc/inetd.conf'
PATTERN='^discard'

1
bin/hardening/5.6_disable_time.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
DESCRIPTION="Ensure time debugging network service is not enabled."
FILE='/etc/inetd.conf'
PATTERN='^time'

1
bin/hardening/6.10_disable_http_server.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Ensure HTTP server is not enabled."
HARDENING_EXCEPTION=http
# Based on aptitude search '~Phttpd'

1
bin/hardening/6.11_disable_imap_pop.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Ensure IMAP and POP servers are not enabled."
HARDENING_EXCEPTION=mail
# Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server'

1
bin/hardening/6.12_disable_samba.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Ensure Samba is not enabled."
HARDENING_EXCEPTION=samba
PACKAGES='samba'

1
bin/hardening/6.13_disable_http_proxy.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Ensure HTTP-proxy is not enabled."
HARDENING_EXCEPTION=http
PACKAGES='squid3 squid'

1
bin/hardening/6.14_disable_snmp_server.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Enure SNMP server is not enabled."
HARDENING_EXCEPTION=snmp
PACKAGES='snmpd'

1
bin/hardening/6.15_mta_localhost.sh
View File

@ -12,6 +12,7 @@ set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Configure Mail Transfert Agent for Local-Only Mode."
HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode

Some files were not shown because too many files have changed in this diff Show More