mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-23 14:35:26 +01:00
8.1.4_record_date_time_edit.sh 8.1.5_record_user_group_edit.sh
This commit is contained in:
parent
47d017908d
commit
75e072f304
69
bin/hardening/8.1.4_record_date_time_edit.sh
Executable file
69
bin/hardening/8.1.4_record_date_time_edit.sh
Executable file
@ -0,0 +1,69 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 8.1.4 Record Events That Modify Date and Time Information (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
|
||||
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
|
||||
-a always,exit -F arch=b64 -S clock_settime -k time-change
|
||||
-a always,exit -F arch=b32 -S clock_settime -k time-change
|
||||
-w /etc/localtime -p wa -k time-change'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
IFS=$'\n'
|
||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||
debug "$AUDIT_VALUE must be in file $FILE"
|
||||
does_pattern_exists_in_file $FILE $AUDIT_VALUE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$AUDIT_VALUE is not in file $FILE"
|
||||
else
|
||||
ok "$AUDIT_VALUE present in $FILE"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
IFS=$'\n'
|
||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||
debug "$AUDIT_VALUE must be in file $FILE"
|
||||
does_pattern_exists_in_file $FILE $AUDIT_VALUE
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
||||
add_end_of_file $FILE $AUDIT_VALUE
|
||||
eval $(pkill -HUP -P 1 auditd)
|
||||
else
|
||||
ok "$AUDIT_VALUE present in $FILE"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
69
bin/hardening/8.1.5_record_user_group_edit.sh
Executable file
69
bin/hardening/8.1.5_record_user_group_edit.sh
Executable file
@ -0,0 +1,69 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 8.1.5 Record Events That Modify User/Group Information (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
AUDIT_PARAMS='-w /etc/group -p wa -k identity
|
||||
-w /etc/passwd -p wa -k identity
|
||||
-w /etc/gshadow -p wa -k identity
|
||||
-w /etc/shadow -p wa -k identity
|
||||
-w /etc/security/opasswd -p wa -k identity'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
IFS=$'\n'
|
||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||
debug "$AUDIT_VALUE must be in file $FILE"
|
||||
does_pattern_exists_in_file $FILE $AUDIT_VALUE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$AUDIT_VALUE is not in file $FILE"
|
||||
else
|
||||
ok "$AUDIT_VALUE present in $FILE"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
IFS=$'\n'
|
||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||
debug "$AUDIT_VALUE must be in file $FILE"
|
||||
does_pattern_exists_in_file $FILE $AUDIT_VALUE
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
||||
add_end_of_file $FILE $AUDIT_VALUE
|
||||
eval $(pkill -HUP -P 1 auditd)
|
||||
else
|
||||
ok "$AUDIT_VALUE present in $FILE"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
2
etc/conf.d/8.1.4_record_date_time_edit.cfg
Normal file
2
etc/conf.d/8.1.4_record_date_time_edit.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/8.1.5_record_user_group_edit.cfg
Normal file
2
etc/conf.d/8.1.5_record_user_group_edit.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
@ -111,7 +111,8 @@ does_pattern_exists_in_file() {
|
||||
local PATTERN=$2
|
||||
|
||||
debug "Checking if $PATTERN is present in $FILE"
|
||||
if $(grep -qE "$PATTERN" $FILE); then
|
||||
debug "grep -qE -- '$PATTERN' $FILE"
|
||||
if $(grep -qE -- "$PATTERN" $FILE); then
|
||||
FNRET=0
|
||||
else
|
||||
FNRET=1
|
||||
|
Loading…
Reference in New Issue
Block a user