mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-23 05:55:38 +01:00
3.2_bootloader_permissions.sh 3.3_bootloader_password.sh
This commit is contained in:
parent
ce76538f64
commit
7a3dc9ba87
66
bin/hardening/3.2_bootloader_permissions.sh
Executable file
66
bin/hardening/3.2_bootloader_permissions.sh
Executable file
@ -0,0 +1,66 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 3.2 Set Permissions on bootloader config (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# Assertion : Grub Based.
|
||||||
|
|
||||||
|
FILE='/boot/grub/grub.cfg'
|
||||||
|
PERMISSIONS='400'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
has_file_correct_permissions $FILE $PERMISSIONS
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct permissions"
|
||||||
|
else
|
||||||
|
crit "$FILE has not $PERMISSIONS permissions set"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
has_file_correct_permissions $FILE $PERMISSIONS
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct permissions"
|
||||||
|
else
|
||||||
|
info "fixing $FILE permissions to $PERMISSIONS"
|
||||||
|
chmod 0$PERMISSIONS $FILE
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
|
||||||
|
is_pkg_installed "grub-pc"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "grub-pc is not installed, not handling configuration"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$FILE does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
76
bin/hardening/3.3_bootloader_password.sh
Executable file
76
bin/hardening/3.3_bootloader_password.sh
Executable file
@ -0,0 +1,76 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 3.3 Set Boot Loader Password (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
FILE='/boot/grub/grub.cfg'
|
||||||
|
USER_PATTERN="^set superusers"
|
||||||
|
PWD_PATTERN="^password_pbkdf2"
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
does_pattern_exists_in_file $FILE "$USER_PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$USER_PATTERN not present in $FILE"
|
||||||
|
else
|
||||||
|
ok "$USER_PATTERN is present in $FILE"
|
||||||
|
fi
|
||||||
|
does_pattern_exists_in_file $FILE "$PWD_PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PWD_PATTERN not present in $FILE"
|
||||||
|
else
|
||||||
|
ok "$PWD_PATTERN is present in $FILE"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
does_pattern_exists_in_file $FILE "$USER_PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "$USER_PATTERN not present in $FILE, please configure password for grub"
|
||||||
|
else
|
||||||
|
ok "$USER_PATTERN is present in $FILE"
|
||||||
|
fi
|
||||||
|
does_pattern_exists_in_file $FILE "$PWD_PATTERN"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
|
||||||
|
else
|
||||||
|
ok "$PWD_PATTERN is present in $FILE"
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
is_pkg_installed "grub-pc"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
warn "grub-pc is not installed, not handling configuration"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$FILE does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
@ -1,2 +1,2 @@
|
|||||||
# Configuration for script of same name
|
# Configuration for script of same name
|
||||||
status=enabled
|
status=disabled
|
||||||
|
2
etc/conf.d/3.2_bootloader_permissions.cfg
Normal file
2
etc/conf.d/3.2_bootloader_permissions.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=disabled
|
19
etc/conf.d/3.3_bootloader_password.cfg
Normal file
19
etc/conf.d/3.3_bootloader_password.cfg
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
||||||
|
|
||||||
|
###### Grub configuration example :
|
||||||
|
#~ # id
|
||||||
|
#uid=0(root) gid=0(root) groups=0(root)
|
||||||
|
#~ # ls /etc/grub.d/01_users -l
|
||||||
|
#-rwxr-xr-x 1 root root 390 Apr 11 11:04 /etc/grub.d/01_users
|
||||||
|
#
|
||||||
|
# ~ # cat /etc/grub.d/01_users
|
||||||
|
##!/bin/sh
|
||||||
|
#
|
||||||
|
## Grub password file
|
||||||
|
#
|
||||||
|
#cat << EOF
|
||||||
|
#set superusers="osp"
|
||||||
|
#password FOR_GRUB # this is a drity hack for chmod 400 by grub-mkconfig
|
||||||
|
#password_pbkdf2 osp grub.pbkdf2.sha512.10000.28AC55867740A5F1820853347EEFE3CCC67D19540BE8ACCE5E354A18DDD8D4A48AACC5F9FCAE08593B05D0E131568456F02A44F1D01C7E194635CE664410F885.07A8B0B957098D4A13B6CE77A62431945A98DCF20313AFAC86346957E6F67827B252F3BF395D82E8C25036AA89AE6BA13F946523FB02F6C3A605B3B312658D6E
|
||||||
|
#EOF
|
26
lib/utils.sh
26
lib/utils.sh
@ -20,13 +20,37 @@ has_file_correct_ownership() {
|
|||||||
local USERID=$(id -u $USER)
|
local USERID=$(id -u $USER)
|
||||||
local GROUPID=$(id -u $GROUP)
|
local GROUPID=$(id -u $GROUP)
|
||||||
|
|
||||||
if [ "$(stat -c "%u %g" /boot/grub/grub.cfg)" = "$USERID $GROUPID" ]; then
|
if [ "$(stat -c "%u %g" $1)" = "$USERID $GROUPID" ]; then
|
||||||
FNRET=0
|
FNRET=0
|
||||||
else
|
else
|
||||||
FNRET=1
|
FNRET=1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
has_file_correct_permissions() {
|
||||||
|
local FILE=$1
|
||||||
|
local PERMISSIONS=$2
|
||||||
|
|
||||||
|
if [ $(stat -L -c "%a" $1) = "$PERMISSIONS" ]; then
|
||||||
|
FNRET=0
|
||||||
|
else
|
||||||
|
FNRET=1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
does_pattern_exists_in_file() {
|
||||||
|
local FILE=$1
|
||||||
|
local PATTERN=$2
|
||||||
|
|
||||||
|
debug "Checking if $PATTERN is present in $FILE"
|
||||||
|
if $(grep -qE "$PATTERN" $FILE); then
|
||||||
|
FNRET=0
|
||||||
|
else
|
||||||
|
FNRET=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# User manipulation
|
# User manipulation
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user