From 7a3dc9ba87fa763deff37179771dd354a1e1060f Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 11 Apr 2016 11:38:50 +0200 Subject: [PATCH] 3.2_bootloader_permissions.sh 3.3_bootloader_password.sh --- bin/hardening/3.2_bootloader_permissions.sh | 66 ++++++++++++++++++ bin/hardening/3.3_bootloader_password.sh | 76 +++++++++++++++++++++ etc/conf.d/3.1_bootloader_ownership.cfg | 2 +- etc/conf.d/3.2_bootloader_permissions.cfg | 2 + etc/conf.d/3.3_bootloader_password.cfg | 19 ++++++ lib/utils.sh | 26 ++++++- 6 files changed, 189 insertions(+), 2 deletions(-) create mode 100755 bin/hardening/3.2_bootloader_permissions.sh create mode 100755 bin/hardening/3.3_bootloader_password.sh create mode 100644 etc/conf.d/3.2_bootloader_permissions.cfg create mode 100644 etc/conf.d/3.3_bootloader_password.cfg diff --git a/bin/hardening/3.2_bootloader_permissions.sh b/bin/hardening/3.2_bootloader_permissions.sh new file mode 100755 index 0000000..1cadd62 --- /dev/null +++ b/bin/hardening/3.2_bootloader_permissions.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 3.2 Set Permissions on bootloader config (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assertion : Grub Based. + +FILE='/boot/grub/grub.cfg' +PERMISSIONS='400' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + + is_pkg_installed "grub-pc" + if [ $FNRET != 0 ]; then + warn "grub-pc is not installed, not handling configuration" + exit 128 + fi + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/3.3_bootloader_password.sh b/bin/hardening/3.3_bootloader_password.sh new file mode 100755 index 0000000..05a9ab0 --- /dev/null +++ b/bin/hardening/3.3_bootloader_password.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 3.3 Set Boot Loader Password (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/boot/grub/grub.cfg' +USER_PATTERN="^set superusers" +PWD_PATTERN="^password_pbkdf2" + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file $FILE "$USER_PATTERN" + if [ $FNRET != 0 ]; then + crit "$USER_PATTERN not present in $FILE" + else + ok "$USER_PATTERN is present in $FILE" + fi + does_pattern_exists_in_file $FILE "$PWD_PATTERN" + if [ $FNRET != 0 ]; then + crit "$PWD_PATTERN not present in $FILE" + else + ok "$PWD_PATTERN is present in $FILE" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file $FILE "$USER_PATTERN" + if [ $FNRET != 0 ]; then + warn "$USER_PATTERN not present in $FILE, please configure password for grub" + else + ok "$USER_PATTERN is present in $FILE" + fi + does_pattern_exists_in_file $FILE "$PWD_PATTERN" + if [ $FNRET != 0 ]; then + warn "$PWD_PATTERN not present in $FILE, please configure password for grub" + else + ok "$PWD_PATTERN is present in $FILE" + fi + : +} + +# This function will check config parameters required +check_config() { + is_pkg_installed "grub-pc" + if [ $FNRET != 0 ]; then + warn "grub-pc is not installed, not handling configuration" + exit 128 + fi + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/3.1_bootloader_ownership.cfg b/etc/conf.d/3.1_bootloader_ownership.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/3.1_bootloader_ownership.cfg +++ b/etc/conf.d/3.1_bootloader_ownership.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/3.2_bootloader_permissions.cfg b/etc/conf.d/3.2_bootloader_permissions.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/3.2_bootloader_permissions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/3.3_bootloader_password.cfg b/etc/conf.d/3.3_bootloader_password.cfg new file mode 100644 index 0000000..46413ba --- /dev/null +++ b/etc/conf.d/3.3_bootloader_password.cfg @@ -0,0 +1,19 @@ +# Configuration for script of same name +status=enabled + +###### Grub configuration example : +#~ # id +#uid=0(root) gid=0(root) groups=0(root) +#~ # ls /etc/grub.d/01_users -l +#-rwxr-xr-x 1 root root 390 Apr 11 11:04 /etc/grub.d/01_users +# +# ~ # cat /etc/grub.d/01_users +##!/bin/sh +# +## Grub password file +# +#cat << EOF +#set superusers="osp" +#password FOR_GRUB # this is a drity hack for chmod 400 by grub-mkconfig +#password_pbkdf2 osp grub.pbkdf2.sha512.10000.28AC55867740A5F1820853347EEFE3CCC67D19540BE8ACCE5E354A18DDD8D4A48AACC5F9FCAE08593B05D0E131568456F02A44F1D01C7E194635CE664410F885.07A8B0B957098D4A13B6CE77A62431945A98DCF20313AFAC86346957E6F67827B252F3BF395D82E8C25036AA89AE6BA13F946523FB02F6C3A605B3B312658D6E +#EOF diff --git a/lib/utils.sh b/lib/utils.sh index 7020e6a..ff38696 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -20,13 +20,37 @@ has_file_correct_ownership() { local USERID=$(id -u $USER) local GROUPID=$(id -u $GROUP) - if [ "$(stat -c "%u %g" /boot/grub/grub.cfg)" = "$USERID $GROUPID" ]; then + if [ "$(stat -c "%u %g" $1)" = "$USERID $GROUPID" ]; then FNRET=0 else FNRET=1 fi } +has_file_correct_permissions() { + local FILE=$1 + local PERMISSIONS=$2 + + if [ $(stat -L -c "%a" $1) = "$PERMISSIONS" ]; then + FNRET=0 + else + FNRET=1 + fi +} + +does_pattern_exists_in_file() { + local FILE=$1 + local PATTERN=$2 + + debug "Checking if $PATTERN is present in $FILE" + if $(grep -qE "$PATTERN" $FILE); then + FNRET=0 + else + FNRET=1 + fi + +} + # # User manipulation #