elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

resolve #SOC-30 Also check /etc/security/limits.d/ for core dump limit

Browse Source
This commit is contained in:
Charles Herlin 2018-02-12 15:37:12 +01:00 committed by Kevin Tanguy
parent 51f589923d
commit 76abf8da36
1 changed files with 21 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
bin/hardening/4.1_restrict_core_dumps.sh
View File

@ -14,17 +14,33 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
LIMIT_FILE='/etc/security/limits.conf' LIMIT_FILE='/etc/security/limits.conf'
LIMIT_DIR='/etc/security/limits.d'
LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$' LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
SYSCTL_PARAM='fs.suid_dumpable' SYSCTL_PARAM='fs.suid_dumpable'
SYSCTL_EXP_RESULT=0 SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN SEARCH_RES=0
if [ $FNRET != 0 ]; then LIMIT_FILES=""
crit "$LIMIT_PATTERN not present in $LIMIT_FILE" if $SUDO_CMD [ -d $LIMIT_DIR ]; then
else for file in $($SUDO_CMD ls $LIMIT_DIR/*.conf); do
ok "$LIMIT_PATTERN present in $LIMIT_FILE" LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
done
fi
debug "Files to search $LIMIT_FILE $LIMIT_FILES"
for file in $LIMIT_FILE $LIMIT_FILES; do
does_pattern_exist_in_file $file $LIMIT_PATTERN
if [ $FNRET != 0 ]; then
debug "$LIMIT_PATTERN not present in $file"
else
ok "$LIMIT_PATTERN present in $file"
SEARCH_RES=1
break
fi
done
if [ $SEARCH_RES = 0 ]; then
crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES"
fi fi
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then