diff --git a/bin/hardening/1.1.1.7_restrict_fat.sh b/bin/hardening/1.1.1.7_restrict_fat.sh new file mode 100755 index 0000000..0c74c93 --- /dev/null +++ b/bin/hardening/1.1.1.7_restrict_fat.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.1.1.7 Ensure mounting of FAT filesystem is limited (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="Limit mounting of FAT filesystems." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.1.23_disable_usb_storage.sh b/bin/hardening/1.1.23_disable_usb_storage.sh new file mode 100755 index 0000000..b139f17 --- /dev/null +++ b/bin/hardening/1.1.23_disable_usb_storage.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.1.23 Disable USB storage (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="Disable USB storage." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.7.1.1_install_apparmor.sh b/bin/hardening/1.7.1.1_install_apparmor.sh new file mode 100755 index 0000000..33fcea7 --- /dev/null +++ b/bin/hardening/1.7.1.1_install_apparmor.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.7.1.1 Ensure AppArmor is installed (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Install AppArmor." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh b/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh new file mode 100755 index 0000000..d507013 --- /dev/null +++ b/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.7.1.3 Ensure all AppArmor profiles are in enforce or complain mode (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Enforce or complain AppArmor profiles." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.7.1.4_enforcing_apparmor.sh b/bin/hardening/1.7.1.4_enforcing_apparmor.sh new file mode 100755 index 0000000..1cc664c --- /dev/null +++ b/bin/hardening/1.7.1.4_enforcing_apparmor.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.7.1.4 Ensure all AppArmor profiles are enforcing (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Enforce Apparmor profiles." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh b/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh new file mode 100755 index 0000000..ee5f95e --- /dev/null +++ b/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 2.2.1.2 Ensure systemd-timesyncd is configured (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Configure systemd-timesyncd." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/2.2.17_disable_nis.sh b/bin/hardening/2.2.17_disable_nis.sh new file mode 100755 index 0000000..c9e76bd --- /dev/null +++ b/bin/hardening/2.2.17_disable_nis.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 2.2.17 Ensure NIS Server is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Disable NIS Server." + +# This function will be called if the script status is on enabled / audit mode +audit() { + : +} + +# This function will be called if the script status is on enabled mode +apply() { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/4.1.1.1_install_auditd.sh b/bin/hardening/4.1.1.1_install_auditd.sh new file mode 100755 index 0000000..d6e9b75 --- /dev/null +++ b/bin/hardening/4.1.1.1_install_auditd.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 4.1.1.1 Ensure auditing is installed (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=4 +# shellcheck disable=2034 +DESCRIPTION="Install auditd." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/4.1.1.4_audit_backlog_limit.sh b/bin/hardening/4.1.1.4_audit_backlog_limit.sh new file mode 100755 index 0000000..8e93d96 --- /dev/null +++ b/bin/hardening/4.1.1.4_audit_backlog_limit.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=4 +# shellcheck disable=2034 +DESCRIPTION="Configure audit_backlog_limit to be sufficient." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/4.2.2.1_journald_logs.sh b/bin/hardening/4.2.2.1_journald_logs.sh new file mode 100755 index 0000000..9df70b5 --- /dev/null +++ b/bin/hardening/4.2.2.1_journald_logs.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 4.2.2.1 Ensure journald is configured to send logs to syslog-ng (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Configure journald to send logs to syslog-ng." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/4.2.2.2_journald_compress.sh b/bin/hardening/4.2.2.2_journald_compress.sh new file mode 100755 index 0000000..c5f4510 --- /dev/null +++ b/bin/hardening/4.2.2.2_journald_compress.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 4.2.2.2 Ensure journald is configured to compress large files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Configure journald to send logs to syslog-ng." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} +rsyslog +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/4.2.2.3_journald_write_persistent.sh b/bin/hardening/4.2.2.3_journald_write_persistent.sh new file mode 100755 index 0000000..66941e7 --- /dev/null +++ b/bin/hardening/4.2.2.3_journald_write_persistent.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Configure journald to write to a persistent location." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/4.4_logrotate_permissions.sh b/bin/hardening/4.4_logrotate_permissions.sh new file mode 100755 index 0000000..ab712fa --- /dev/null +++ b/bin/hardening/4.4_logrotate_permissions.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 4.4 Ensure logrotate assigns approriate permissions (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Configure logrotate to assign appropriate permissions." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/5.2.20_enable_ssh_pam.sh b/bin/hardening/5.2.20_enable_ssh_pam.sh new file mode 100755 index 0000000..080e0a2 --- /dev/null +++ b/bin/hardening/5.2.20_enable_ssh_pam.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 5.2.20 Ensure SSH PAM is enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Enable SSH PAM." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh b/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh new file mode 100755 index 0000000..24d9742 --- /dev/null +++ b/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 5.2.21 Ensure SSH AllowTCPForwarding is disabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Disable SSH AllowTCPForwarding." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/5.2.22_configure_ssh_max_startups.sh b/bin/hardening/5.2.22_configure_ssh_max_startups.sh new file mode 100755 index 0000000..f1d58cd --- /dev/null +++ b/bin/hardening/5.2.22_configure_ssh_max_startups.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 5.2.22 Ensure SSH MaxStartups is configured (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Configure SSHMaxStartups." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/5.2.23_limit_ssh_max_sessions.sh b/bin/hardening/5.2.23_limit_ssh_max_sessions.sh new file mode 100755 index 0000000..f1f6f6e --- /dev/null +++ b/bin/hardening/5.2.23_limit_ssh_max_sessions.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 5.2.23 Ensure SSH MaxSessions is limited (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Limit SSH MaxSessions." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/5.3.4_acc_pam_sha512.sh b/bin/hardening/5.3.4_acc_pam_sha512.sh index c7e31f2..0752b6a 100755 --- a/bin/hardening/5.3.4_acc_pam_sha512.sh +++ b/bin/hardening/5.3.4_acc_pam_sha512.sh @@ -12,9 +12,12 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 +HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted" + CONF_FILE="/etc/pam.d/common-password" CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512" diff --git a/bin/hardening/5.4.1.5_last_password_change_past.sh b/bin/hardening/5.4.1.5_last_password_change_past.sh new file mode 100755 index 0000000..81289ee --- /dev/null +++ b/bin/hardening/5.4.1.5_last_password_change_past.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 5.4.1.5 Ensure all users last password change date is in the past (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Check that user last paswword change date is in the past." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/5.4.5_default_timeout.sh b/bin/hardening/5.4.5_default_timeout.sh new file mode 100755 index 0000000..dbec816 --- /dev/null +++ b/bin/hardening/5.4.5_default_timeout.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Configure the default user shell timeout." + +# This function will be called if the script status is on enabled / audit mode +audit () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/tests/hardening/1.1.1.7_restrict_fat.sh b/tests/hardening/1.1.1.7_restrict_fat.sh new file mode 100644 index 0000000..e342a1f --- /dev/null +++ b/tests/hardening/1.1.1.7_restrict_fat.sh @@ -0,0 +1,20 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + if [ -f "/.dockerenv" ]; then + skip "SKIPPED on docker" + else + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + fi + + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## +} \ No newline at end of file diff --git a/tests/hardening/1.1.23_disable_usb_storage.sh b/tests/hardening/1.1.23_disable_usb_storage.sh new file mode 100644 index 0000000..dd89e0f --- /dev/null +++ b/tests/hardening/1.1.23_disable_usb_storage.sh @@ -0,0 +1,16 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + ################################################################## + # For this test, we only check that it runs properly on a blank # + # host, and we check root/sudo consistency. But, we don't test # + # the apply function because it can't be automated or it is very # + # long to test and not very useful. # + ################################################################## +} \ No newline at end of file diff --git a/tests/hardening/1.7.1.1_install_apparmor.sh b/tests/hardening/1.7.1.1_install_apparmor.sh new file mode 100644 index 0000000..837cad0 --- /dev/null +++ b/tests/hardening/1.7.1.1_install_apparmor.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} \ No newline at end of file diff --git a/tests/hardening/1.7.1.3_enforce_or_complain_apparmor.sh b/tests/hardening/1.7.1.3_enforce_or_complain_apparmor.sh new file mode 100644 index 0000000..837cad0 --- /dev/null +++ b/tests/hardening/1.7.1.3_enforce_or_complain_apparmor.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} \ No newline at end of file diff --git a/tests/hardening/1.7.1.4_enforcing_apparmor.sh b/tests/hardening/1.7.1.4_enforcing_apparmor.sh new file mode 100644 index 0000000..837cad0 --- /dev/null +++ b/tests/hardening/1.7.1.4_enforcing_apparmor.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} \ No newline at end of file diff --git a/tests/hardening/2.2.1.2_configure_systemd-timesyncd.sh b/tests/hardening/2.2.1.2_configure_systemd-timesyncd.sh new file mode 100644 index 0000000..837cad0 --- /dev/null +++ b/tests/hardening/2.2.1.2_configure_systemd-timesyncd.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} \ No newline at end of file diff --git a/tests/hardening/2.2.17_disable_nis.sh b/tests/hardening/2.2.17_disable_nis.sh new file mode 100644 index 0000000..f85b20d --- /dev/null +++ b/tests/hardening/2.2.17_disable_nis.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} diff --git a/tests/hardening/4.1.1.1_install_auditd.sh b/tests/hardening/4.1.1.1_install_auditd.sh new file mode 100644 index 0000000..837cad0 --- /dev/null +++ b/tests/hardening/4.1.1.1_install_auditd.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} \ No newline at end of file diff --git a/tests/hardening/4.1.1.4_audit_backlog_limit.sh b/tests/hardening/4.1.1.4_audit_backlog_limit.sh new file mode 100644 index 0000000..f85b20d --- /dev/null +++ b/tests/hardening/4.1.1.4_audit_backlog_limit.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} diff --git a/tests/hardening/4.2.2.1_journald_logs.sh b/tests/hardening/4.2.2.1_journald_logs.sh new file mode 100644 index 0000000..837cad0 --- /dev/null +++ b/tests/hardening/4.2.2.1_journald_logs.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} \ No newline at end of file diff --git a/tests/hardening/4.2.2.2_journald_compress.sh b/tests/hardening/4.2.2.2_journald_compress.sh new file mode 100644 index 0000000..837cad0 --- /dev/null +++ b/tests/hardening/4.2.2.2_journald_compress.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} \ No newline at end of file diff --git a/tests/hardening/4.2.2.3_journald_write_persistent.sh b/tests/hardening/4.2.2.3_journald_write_persistent.sh new file mode 100644 index 0000000..837cad0 --- /dev/null +++ b/tests/hardening/4.2.2.3_journald_write_persistent.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} \ No newline at end of file diff --git a/tests/hardening/4.4_logrotate_permissions.sh b/tests/hardening/4.4_logrotate_permissions.sh new file mode 100644 index 0000000..837cad0 --- /dev/null +++ b/tests/hardening/4.4_logrotate_permissions.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} \ No newline at end of file diff --git a/tests/hardening/5.2.20_enable_ssh_pam.sh b/tests/hardening/5.2.20_enable_ssh_pam.sh new file mode 100644 index 0000000..837cad0 --- /dev/null +++ b/tests/hardening/5.2.20_enable_ssh_pam.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} \ No newline at end of file diff --git a/tests/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh b/tests/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh new file mode 100644 index 0000000..837cad0 --- /dev/null +++ b/tests/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} \ No newline at end of file diff --git a/tests/hardening/5.2.22_configure_ssh_max_startups.sh b/tests/hardening/5.2.22_configure_ssh_max_startups.sh new file mode 100644 index 0000000..837cad0 --- /dev/null +++ b/tests/hardening/5.2.22_configure_ssh_max_startups.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} \ No newline at end of file diff --git a/tests/hardening/5.2.23_limit_ssh_max_sessions.sh b/tests/hardening/5.2.23_limit_ssh_max_sessions.sh new file mode 100644 index 0000000..837cad0 --- /dev/null +++ b/tests/hardening/5.2.23_limit_ssh_max_sessions.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} \ No newline at end of file diff --git a/tests/hardening/5.4.1.5_last_password_change_past.sh b/tests/hardening/5.4.1.5_last_password_change_past.sh new file mode 100644 index 0000000..837cad0 --- /dev/null +++ b/tests/hardening/5.4.1.5_last_password_change_past.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} \ No newline at end of file diff --git a/tests/hardening/5.4.5_default_timeout.sh b/tests/hardening/5.4.5_default_timeout.sh new file mode 100644 index 0000000..837cad0 --- /dev/null +++ b/tests/hardening/5.4.5_default_timeout.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} \ No newline at end of file