mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-25 23:11:24 +01:00
Add new checks (blank for now)
This commit is contained in:
parent
38ca43c125
commit
7f990b5e53
53
bin/hardening/1.1.1.7_restrict_fat.sh
Executable file
53
bin/hardening/1.1.1.7_restrict_fat.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.1.1.7 Ensure mounting of FAT filesystem is limited (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Limit mounting of FAT filesystems."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/1.1.23_disable_usb_storage.sh
Executable file
53
bin/hardening/1.1.23_disable_usb_storage.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.1.23 Disable USB storage (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=2
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Disable USB storage."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/1.7.1.1_install_apparmor.sh
Executable file
53
bin/hardening/1.7.1.1_install_apparmor.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.7.1.1 Ensure AppArmor is installed (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Install AppArmor."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
Executable file
53
bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.7.1.3 Ensure all AppArmor profiles are in enforce or complain mode (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Enforce or complain AppArmor profiles."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/1.7.1.4_enforcing_apparmor.sh
Executable file
53
bin/hardening/1.7.1.4_enforcing_apparmor.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 1.7.1.4 Ensure all AppArmor profiles are enforcing (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Enforce Apparmor profiles."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
Executable file
53
bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.2.1.2 Ensure systemd-timesyncd is configured (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Configure systemd-timesyncd."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/2.2.17_disable_nis.sh
Executable file
53
bin/hardening/2.2.17_disable_nis.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 2.2.17 Ensure NIS Server is not enabled (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Disable NIS Server."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/4.1.1.1_install_auditd.sh
Executable file
53
bin/hardening/4.1.1.1_install_auditd.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 4.1.1.1 Ensure auditing is installed (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=4
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Install auditd."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/4.1.1.4_audit_backlog_limit.sh
Executable file
53
bin/hardening/4.1.1.4_audit_backlog_limit.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=4
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Configure audit_backlog_limit to be sufficient."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/4.2.2.1_journald_logs.sh
Executable file
53
bin/hardening/4.2.2.1_journald_logs.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 4.2.2.1 Ensure journald is configured to send logs to syslog-ng (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Configure journald to send logs to syslog-ng."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/4.2.2.2_journald_compress.sh
Executable file
53
bin/hardening/4.2.2.2_journald_compress.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 4.2.2.2 Ensure journald is configured to compress large files (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Configure journald to send logs to syslog-ng."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
rsyslog
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/4.2.2.3_journald_write_persistent.sh
Executable file
53
bin/hardening/4.2.2.3_journald_write_persistent.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Configure journald to write to a persistent location."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/4.4_logrotate_permissions.sh
Executable file
53
bin/hardening/4.4_logrotate_permissions.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 4.4 Ensure logrotate assigns approriate permissions (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Configure logrotate to assign appropriate permissions."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/5.2.20_enable_ssh_pam.sh
Executable file
53
bin/hardening/5.2.20_enable_ssh_pam.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.2.20 Ensure SSH PAM is enabled (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Enable SSH PAM."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
Executable file
53
bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.2.21 Ensure SSH AllowTCPForwarding is disabled (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Disable SSH AllowTCPForwarding."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/5.2.22_configure_ssh_max_startups.sh
Executable file
53
bin/hardening/5.2.22_configure_ssh_max_startups.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.2.22 Ensure SSH MaxStartups is configured (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Configure SSHMaxStartups."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/5.2.23_limit_ssh_max_sessions.sh
Executable file
53
bin/hardening/5.2.23_limit_ssh_max_sessions.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.2.23 Ensure SSH MaxSessions is limited (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Limit SSH MaxSessions."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
@ -12,9 +12,12 @@
|
|||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=2
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
|
DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
|
||||||
|
|
||||||
|
|
||||||
CONF_FILE="/etc/pam.d/common-password"
|
CONF_FILE="/etc/pam.d/common-password"
|
||||||
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
|
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
|
||||||
|
|
||||||
|
53
bin/hardening/5.4.1.5_last_password_change_past.sh
Executable file
53
bin/hardening/5.4.1.5_last_password_change_past.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.4.1.5 Ensure all users last password change date is in the past (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Check that user last paswword change date is in the past."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
53
bin/hardening/5.4.5_default_timeout.sh
Executable file
53
bin/hardening/5.4.5_default_timeout.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# run-shellcheck
|
||||||
|
#
|
||||||
|
# CIS Debian Hardening
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
# shellcheck disable=2034
|
||||||
|
HARDENING_LEVEL=3
|
||||||
|
# shellcheck disable=2034
|
||||||
|
DESCRIPTION="Configure the default user shell timeout."
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ -r /etc/default/cis-hardening ]; then
|
||||||
|
# shellcheck source=../../debian/default
|
||||||
|
. /etc/default/cis-hardening
|
||||||
|
fi
|
||||||
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||||
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||||
|
# shellcheck source=../../lib/main.sh
|
||||||
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||||
|
else
|
||||||
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||||
|
exit 128
|
||||||
|
fi
|
20
tests/hardening/1.1.1.7_restrict_fat.sh
Normal file
20
tests/hardening/1.1.1.7_restrict_fat.sh
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
if [ -f "/.dockerenv" ]; then
|
||||||
|
skip "SKIPPED on docker"
|
||||||
|
else
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
fi
|
||||||
|
|
||||||
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
|
}
|
16
tests/hardening/1.1.23_disable_usb_storage.sh
Normal file
16
tests/hardening/1.1.23_disable_usb_storage.sh
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
##################################################################
|
||||||
|
# For this test, we only check that it runs properly on a blank #
|
||||||
|
# host, and we check root/sudo consistency. But, we don't test #
|
||||||
|
# the apply function because it can't be automated or it is very #
|
||||||
|
# long to test and not very useful. #
|
||||||
|
##################################################################
|
||||||
|
}
|
11
tests/hardening/1.7.1.1_install_apparmor.sh
Normal file
11
tests/hardening/1.7.1.1_install_apparmor.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
11
tests/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
Normal file
11
tests/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
11
tests/hardening/1.7.1.4_enforcing_apparmor.sh
Normal file
11
tests/hardening/1.7.1.4_enforcing_apparmor.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
11
tests/hardening/2.2.1.2_configure_systemd-timesyncd.sh
Normal file
11
tests/hardening/2.2.1.2_configure_systemd-timesyncd.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
11
tests/hardening/2.2.17_disable_nis.sh
Normal file
11
tests/hardening/2.2.17_disable_nis.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
11
tests/hardening/4.1.1.1_install_auditd.sh
Normal file
11
tests/hardening/4.1.1.1_install_auditd.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
11
tests/hardening/4.1.1.4_audit_backlog_limit.sh
Normal file
11
tests/hardening/4.1.1.4_audit_backlog_limit.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
11
tests/hardening/4.2.2.1_journald_logs.sh
Normal file
11
tests/hardening/4.2.2.1_journald_logs.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
11
tests/hardening/4.2.2.2_journald_compress.sh
Normal file
11
tests/hardening/4.2.2.2_journald_compress.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
11
tests/hardening/4.2.2.3_journald_write_persistent.sh
Normal file
11
tests/hardening/4.2.2.3_journald_write_persistent.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
11
tests/hardening/4.4_logrotate_permissions.sh
Normal file
11
tests/hardening/4.4_logrotate_permissions.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
11
tests/hardening/5.2.20_enable_ssh_pam.sh
Normal file
11
tests/hardening/5.2.20_enable_ssh_pam.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
11
tests/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
Normal file
11
tests/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
11
tests/hardening/5.2.22_configure_ssh_max_startups.sh
Normal file
11
tests/hardening/5.2.22_configure_ssh_max_startups.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
11
tests/hardening/5.2.23_limit_ssh_max_sessions.sh
Normal file
11
tests/hardening/5.2.23_limit_ssh_max_sessions.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
11
tests/hardening/5.4.1.5_last_password_change_past.sh
Normal file
11
tests/hardening/5.4.1.5_last_password_change_past.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
11
tests/hardening/5.4.5_default_timeout.sh
Normal file
11
tests/hardening/5.4.5_default_timeout.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# shellcheck shell=bash
|
||||||
|
# run-shellcheck
|
||||||
|
test_audit() {
|
||||||
|
describe Running on blank host
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
dismiss_count_for_test
|
||||||
|
# shellcheck disable=2154
|
||||||
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# TODO fill comprehensive tests
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user