3.2_bootloader_permissions.sh 3.3_bootloader_password.sh

This commit is contained in:
thibault.dewailly 2016-04-11 11:38:50 +02:00
parent ce76538f64
commit 7a3dc9ba87
6 changed files with 189 additions and 2 deletions

View File

@ -0,0 +1,66 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 3.2 Set Permissions on bootloader config (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Assertion : Grub Based.
FILE='/boot/grub/grub.cfg'
PERMISSIONS='400'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE has not $PERMISSIONS permissions set"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
is_pkg_installed "grub-pc"
if [ $FNRET != 0 ]; then
warn "grub-pc is not installed, not handling configuration"
exit 128
fi
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,76 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 3.3 Set Boot Loader Password (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/boot/grub/grub.cfg'
USER_PATTERN="^set superusers"
PWD_PATTERN="^password_pbkdf2"
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exists_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then
crit "$USER_PATTERN not present in $FILE"
else
ok "$USER_PATTERN is present in $FILE"
fi
does_pattern_exists_in_file $FILE "$PWD_PATTERN"
if [ $FNRET != 0 ]; then
crit "$PWD_PATTERN not present in $FILE"
else
ok "$PWD_PATTERN is present in $FILE"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exists_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then
warn "$USER_PATTERN not present in $FILE, please configure password for grub"
else
ok "$USER_PATTERN is present in $FILE"
fi
does_pattern_exists_in_file $FILE "$PWD_PATTERN"
if [ $FNRET != 0 ]; then
warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
else
ok "$PWD_PATTERN is present in $FILE"
fi
:
}
# This function will check config parameters required
check_config() {
is_pkg_installed "grub-pc"
if [ $FNRET != 0 ]; then
warn "grub-pc is not installed, not handling configuration"
exit 128
fi
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -1,2 +1,2 @@
# Configuration for script of same name
status=enabled
status=disabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=disabled

View File

@ -0,0 +1,19 @@
# Configuration for script of same name
status=enabled
###### Grub configuration example :
#~ # id
#uid=0(root) gid=0(root) groups=0(root)
#~ # ls /etc/grub.d/01_users -l
#-rwxr-xr-x 1 root root 390 Apr 11 11:04 /etc/grub.d/01_users
#
# ~ # cat /etc/grub.d/01_users
##!/bin/sh
#
## Grub password file
#
#cat << EOF
#set superusers="osp"
#password FOR_GRUB # this is a drity hack for chmod 400 by grub-mkconfig
#password_pbkdf2 osp grub.pbkdf2.sha512.10000.28AC55867740A5F1820853347EEFE3CCC67D19540BE8ACCE5E354A18DDD8D4A48AACC5F9FCAE08593B05D0E131568456F02A44F1D01C7E194635CE664410F885.07A8B0B957098D4A13B6CE77A62431945A98DCF20313AFAC86346957E6F67827B252F3BF395D82E8C25036AA89AE6BA13F946523FB02F6C3A605B3B312658D6E
#EOF

View File

@ -20,13 +20,37 @@ has_file_correct_ownership() {
local USERID=$(id -u $USER)
local GROUPID=$(id -u $GROUP)
if [ "$(stat -c "%u %g" /boot/grub/grub.cfg)" = "$USERID $GROUPID" ]; then
if [ "$(stat -c "%u %g" $1)" = "$USERID $GROUPID" ]; then
FNRET=0
else
FNRET=1
fi
}
has_file_correct_permissions() {
local FILE=$1
local PERMISSIONS=$2
if [ $(stat -L -c "%a" $1) = "$PERMISSIONS" ]; then
FNRET=0
else
FNRET=1
fi
}
does_pattern_exists_in_file() {
local FILE=$1
local PATTERN=$2
debug "Checking if $PATTERN is present in $FILE"
if $(grep -qE "$PATTERN" $FILE); then
FNRET=0
else
FNRET=1
fi
}
#
# User manipulation
#