elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-24 22:41:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2 in IAAS/cis-hardening from dev/thibault.dewailly/base_harden to master

Browse Source 
Release Alpha 0.1

* commit '091eec57ee7f706c2dd16150c75b4d93a183b724': (64 commits)
  All configuration defaults to disabled README updated
  99.1_timeout_tty.sh 99.2_disable_usb_devices.sh
  Fixed disabled features, headers and preparing main script
  Added argument parsing and test checks
  13.16_check_duplicate_username.sh 13.17_check_duplicate_groupname.sh 13.18_find_user_netrc_files.sh 13.19_find_user_forward_files.sh 13.20_shadow_group_empty.sh
  13.14_check_duplicate_uid.sh 13.15_check_duplicate_gid.sh^C
  13.12_users_valid_homedir.sh 13.11_find_passwd_group_inconsistencies.sh 13.13_check_user_homedir_ownership.sh
  13.10_find_user_rhosts_files.sh
  13.8_check_user_dot_file_perm.sh 13.9_set_perm_on_user_netrc.sh
  13.7_check_user_dir_perm.sh
  13.1_remove_empty_password_field.sh 13.2_remove_legacy_passwd_entries.sh 13.3_remove_legacy_shadow_entries.sh 13.4_remove_legacy_group_entries.sh 13.5_find_0_uid_non_root_account.sh 13.6_sanitize_root_path.sh
  13.1_remove_empry_password_field.sh
  12.11_find_sgid_files.sh
  12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh
  10.5_lock_inactive_user_account.sh 11.1_warning_banners.sh 11.2_remove_os_info_warning_banners.sh 11.3_graphical_warning_banners.sh
  10.1.1_set_password_exp_days.sh 10.1.2_set_password_min_days_change.sh 10.1.3_set_password_exp_warning_days.sh 10.2_disable_system_accounts.sh 10.3_default_root_group.sh 10.4_default_umask.sh 9.4_secure_tty.sh 9.5_restrict_su.sh
  9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh
  9.1.3_cron_hourly_perm_ownership.sh 9.1.4_cron_daily_perm_ownership.sh 9.1.5_cron_weekly_perm_ownership.sh 9.1.6_cron_monthly_perm_ownership.sh 9.1.7_cron_d_perm_ownership.sh 9.1.8_cron_users.sh
  9.1.1_enable_cron.sh 9.1.2_crontab_perm_ownership.sh
  8.4_configure_logrotate.sh
  ...
This commit is contained in:
Thibault Dewailly 2016-04-18 13:25:54 +02:00
commit 80236c9e27
390 changed files with 13841 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
README
View File

@ -1,2 +1,13 @@
# CIS Debian 7 Hardening git repository
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
# This is the code base which will be used to fill CIS hardening requirements
# Hardening scripts :
# bin/hardening : Every script has a .cfg associated, status must be defined here
# Main script :
# bin/hardening.sh : Will execute hardening according to configuration
# Configuration
# etc/hardening.cfg : Global variables defined such as backup directory, or log level
# etc/conf.d : Folder with all .cfg associated to hardenign scripts

118
bin/hardening.sh Executable file
View File

@ -0,0 +1,118 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
#
#
# Main script : Execute hardening considering configuration
#
LONG_SCRIPT_NAME=$(basename $0)
SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh}
DISABLED_CHECKS=0
PASSED_CHECKS=0
FAILED_CHECKS=0
TOTAL_CHECKS=0
TOTAL_TREATED_CHECKS=0
AUDIT=0
APPLY=0
usage() {
cat << EOF
$LONG_SCRIPT_NAME ( --apply | -- audit ) < -h | --help >
--apply : Apply hardening if told in configuration
--audit : If script not disabled, audit configuration only
-h|--help : This help
EOF
exit 0
}
if [ $# = 0 ]; then
usage
fi
# Arguments parsing
while [[ $# > 0 ]]; do
ARG="$1"
case $ARG in
--audit)
AUDIT=1
;;
--apply)
APPLY=1
;;
-h|--help)
usage
;;
*)
usage
;;
esac
shift
done
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
# Parse every scripts and execute them in the required mode
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening | sort -V); do
info "Treating $SCRIPT"
if [ $AUDIT = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit"
$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit
elif [ $APPLY = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
$CIS_ROOT_DIR/bin/hardening/$SCRIPT
fi
SCRIPT_EXITCODE=$?
debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE"
case $SCRIPT_EXITCODE in
0)
debug "$SCRIPT passed"
PASSED_CHECKS=$((PASSED_CHECKS+1))
;;
1)
debug "$SCRIPT failed"
FAILED_CHECKS=$((FAILED_CHECKS+1))
;;
2)
debug "$SCRIPT is disabled"
DISABLED_CHECKS=$((DISABLED_CHECKS+1))
;;
esac
TOTAL_CHECKS=$((TOTAL_CHECKS+1))
done
TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS))
printf "%40s\n" "################### SUMMARY ###################"
printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS"
printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS"
printf "%30s %.2f %%\n" "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)"
if [ $TOTAL_TREATED_CHECKS != 0 ]; then
printf "%30s %.2f %%\n" "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)"
else
printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0
fi

57
bin/hardening/1.1_install_updates.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 1.1 Install Updates, Patches and Additional Security Software (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if apt needs an update"
apt_update_if_needed
info "Fetching upgrades ..."
apt_check_updates "CIS_APT"
if [ $FNRET -gt 0 ]; then
crit "$RESULT"
FNRET=1
else
ok "No upgrades available"
FNRET=0
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET -gt 0 ]; then
info "Applying Upgrades..."
DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y
else
ok "No Upgrades to apply"
fi
}
# This function will check config parameters required
check_config() {
# No parameters for this function
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

85
bin/hardening/10.1.1_set_password_exp_days.sh Executable file
View File

@ -0,0 +1,85 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 10.1.1 Set Password Expiration Days (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGE='login'
OPTIONS='PASS_MAX_DAYS=90'
FILE='/etc/login.defs'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed !"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

85
bin/hardening/10.1.2_set_password_min_days_change.sh Executable file
View File

@ -0,0 +1,85 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 10.1.2 Set Password Change Minimum Number of Days (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGE='login'
OPTIONS='PASS_MIN_DAYS=7'
FILE='/etc/login.defs'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed !"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

85
bin/hardening/10.1.3_set_password_exp_warning_days.sh Executable file
View File

@ -0,0 +1,85 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 10.1.3 Set Password Expiring Warning Days (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGE='login'
OPTIONS='PASS_MIN_DAYS=7'
FILE='/etc/login.defs'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed !"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
else
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

90
bin/hardening/10.2_disable_system_accounts.sh Executable file
View File

@ -0,0 +1,90 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 10.2 Disable System Accounts (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
SHELL='/bin/false'
FILE='/etc/passwd'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if admin accounts have login different from $SHELL"
RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
for LINE in $RESULT; do
debug "line : $LINE"
ACCOUNT=$( echo $LINE | cut -d: -f 1 )
debug "Account : $ACCOUNT"
debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
debug "$ACCOUNT is confirmed as an exception"
RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
else
debug "$ACCOUNT not found in exceptions"
fi
done
if [ ! -z "$RESULT" ]; then
crit "Some admin accounts have not $SHELL as shell"
crit "$RESULT"
else
ok "All admin accounts deactivated"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
for LINE in $RESULT; do
debug "line : $LINE"
ACCOUNT=$( echo $LINE | cut -d: -f 1 )
debug "Account : $ACCOUNT"
debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
debug "$ACCOUNT is confirmed as an exception"
RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
else
debug "$ACCOUNT not found in exceptions"
fi
done
if [ ! -z "$RESULT" ]; then
warn "Some admin accounts have not $SHELL as shell"
warn "$RESULT"
for USER in $( echo "$RESULT" | cut -d: -f 1 ); do
info "Setting $SHELL to $USER"
usermod -s $SHELL $USER
done
else
ok "All admin accounts deactivated, nothing to apply"
fi
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then
EXCEPTIONS="@"
fi
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

53
bin/hardening/10.3_default_root_group.sh Executable file
View File

@ -0,0 +1,53 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 10.3 Set Default Group for root Account (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
USER='root'
EXPECTED_GID='0'
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then
ok "Root group has GID $EXPECTED_GID"
else
crit "Root group has not GID $EXPECTED_GID"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then
ok "Root group has GID $EXPECTED_GID"
else
warn "Root group has not GID $EXPECTED_GID"
usermod -g $EXPECTED_GID $USER
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

59
bin/hardening/10.4_default_umask.sh Executable file
View File

@ -0,0 +1,59 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 10.4 Set Default umask for Users (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
USER='root'
PATTERN='umask 077'
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile'
FILE='/etc/profile.d/CIS_10.4_umask.sh'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN"
if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILES_TO_SEARCH"
else
ok "$PATTERN present in $FILES_TO_SEARCH"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN"
if [ $FNRET != 0 ]; then
warn "$PATTERN not present in $FILES_TO_SEARCH"
touch $FILE
chmod 644 $FILE
add_end_of_file $FILE "$PATTERN"
else
ok "$PATTERN present in $FILES_TO_SEARCH"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

45
bin/hardening/10.5_lock_inactive_user_account.sh Executable file
View File

@ -0,0 +1,45 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 10.5 Lock Inactive User Accounts (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
info "The number of days after a password expires until the account is permanently disabled."
info "Which is not inactive users per se"
}
# This function will be called if the script status is on enabled mode
apply () {
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
info "The number of days after a password expires until the account is permanently disabled."
info "Which is not inactive users per se"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

79
bin/hardening/11.1_warning_banners.sh Executable file
View File

@ -0,0 +1,79 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 11.1 Set Warning Banner for Standard Login Services (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PERMISSIONS='644'
USER='root'
GROUP='root'
FILES='/etc/motd /etc/issue /etc/issue.net'
# This function will be called if the script status is on enabled / audit mode
audit () {
for FILE in $FILES; do
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE is not $USER:$GROUP ownership set"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE has not $PERMISSIONS permissions set"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for FILE in $FILES; do
does_file_exist $FILE
if [ $FNRET != 0 ]; then
info "$FILE does not exist"
touch $FILE
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
warn "$FILE is not $USER:$GROUP ownership set"
chown $USER:$GROUP $FILE
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

59
bin/hardening/11.2_remove_os_info_warning_banners.sh Executable file
View File

@ -0,0 +1,59 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 11.2 Remove OS Information from Login Warning Banners (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILES='/etc/motd /etc/issue /etc/issue.net'
PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode
audit () {
for FILE in $FILES; do
does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "$PATTERN is present in $FILE"
else
ok "$PATTERN is not present in $FILE"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for FILE in $FILES; do
does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN
else
ok "$PATTERN is not present in $FILE"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

41
bin/hardening/11.3_graphical_warning_banners.sh Executable file
View File

@ -0,0 +1,41 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 11.3 Set Graphical Warning Banner (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Not implemented yet"
}
# This function will be called if the script status is on enabled mode
apply () {
info "Not implemented yet"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

56
bin/hardening/12.10_find_suid_files.sh Executable file
View File

@ -0,0 +1,56 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 12.10 Find SUID System Executables (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there is suid files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 -print)
for BINARY in $RESULT; do
if grep -q $BINARY <<< "$EXCEPTIONS"; then
debug "$BINARY is confirmed as an exception"
RESULT=$(sed "s!$BINARY!!" <<< $RESULT)
fi
done
if [ ! -z "$RESULT" ]; then
crit "Some suid files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "No unknown suid files found"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Removing suid on valid binary may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
# No param for this function
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

57
bin/hardening/12.11_find_sgid_files.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 12.11 Find SGID System Executables (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there is sgid files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 -print)
for BINARY in $RESULT; do
if grep -q $BINARY <<< "$EXCEPTIONS"; then
debug "$BINARY is confirmed as an exception"
RESULT=$(sed "s!$BINARY!!" <<< $RESULT)
fi
done
if [ ! -z "$RESULT" ]; then
crit "Some sgid files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "No unknown sgid files found"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Removing sgid on valid binary may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then
EXCEPTIONS="@"
fi
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

55
bin/hardening/12.1_etc_passwd_permissions.sh Executable file
View File

@ -0,0 +1,55 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 12.1 Verify Permissions on /etc/passwd (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/passwd'
PERMISSIONS='644'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE has not $PERMISSIONS permissions set"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

55
bin/hardening/12.2_etc_shadow_permissions.sh Executable file
View File

@ -0,0 +1,55 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 12.2 Verify Permissions on /etc/shadow (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/shadow'
PERMISSIONS='640'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE has not $PERMISSIONS permissions set"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

55
bin/hardening/12.3_etc_group_permissions.sh Executable file
View File

@ -0,0 +1,55 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 12.3 Verify Permissions on /etc/group (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/group'
PERMISSIONS='644'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE has not $PERMISSIONS permissions set"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

70
bin/hardening/12.4_etc_passwd_ownership.sh Executable file
View File

@ -0,0 +1,70 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 12.4 Verify User/Group Ownership on /etc/passwd (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/passwd'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE is not $USER:$GROUP ownership set"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
}
# This function will check config parameters required
check_config() {
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

70
bin/hardening/12.5_etc_shadow_ownership.sh Executable file
View File

@ -0,0 +1,70 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 12.5 Verify User/Group Ownership on /etc/shadow (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/shadow'
USER='root'
GROUP='shadow'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE is not $USER:$GROUP ownership set"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
}
# This function will check config parameters required
check_config() {
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

70
bin/hardening/12.6_etc_group_ownership.sh Executable file
View File

@ -0,0 +1,70 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 12.6 Verify User/Group Ownership on /etc/group (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/group'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE is not $USER:$GROUP ownership set"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
}
# This function will check config parameters required
check_config() {
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

56
bin/hardening/12.7_find_world_writable_file.sh Executable file
View File

@ -0,0 +1,56 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 12.7 Find World Writable Files (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there is world writable files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable file are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "No world writable files found"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
warn "chmoding o-w all files in the system"
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null| xargs chmod o-w
else
ok "No world writable files found, nothing to apply"
fi
}
# This function will check config parameters required
check_config() {
# No param for this function
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

58
bin/hardening/12.8_find_unowned_files.sh Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 12.8 Find Un-owned Files and Directories (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
USER='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there is unowned files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable file are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "No world writable files found"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
if [ ! -z "$RESULT" ]; then
warn "chmowing all unowned files in the system"
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
else
ok "No world writable files found, nothing to apply"
fi
}
# This function will check config parameters required
check_config() {
# No param for this function
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

58
bin/hardening/12.9_find_ungrouped_files.sh Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 12.9 Find Un-grouped Files and Directories (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there is unowned files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable file are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "No world writable files found"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
if [ ! -z "$RESULT" ]; then
warn "chmowing all ungrouped files in the system"
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
else
ok "No world writable files found, nothing to apply"
fi
}
# This function will check config parameters required
check_config() {
# No param for this function
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

56
bin/hardening/13.10_find_user_rhosts_files.sh Executable file
View File

@ -0,0 +1,56 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.10 Check for Presence of User .rhosts Files (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
ERRORS=0
FILENAME=".rhosts"
# This function will be called if the script status is on enabled / audit mode
audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR"
for FILE in $DIR/$FILENAME; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
crit "$FILE present"
ERRORS=$((ERRORS+1))
fi
done
done
if [ $ERRORS = 0 ]; then
ok "No $FILENAME present in users files"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "If the audit returns something, please check with the user why he has this file"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

54
bin/hardening/13.11_find_passwd_group_inconsistencies.sh Executable file
View File

@ -0,0 +1,54 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.11 Check Groups in /etc/passwd (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
for GROUP in $(cut -s -d: -f4 /etc/passwd | sort -u ); do
debug "Working on group $GROUP"
if ! grep -q -P "^.*?:[^:]*:$GROUP:" /etc/group; then
crit "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group"
ERRORS=$((ERRORS+1))
fi
done
if [ $ERRORS = 0 ]; then
ok "passwd and group Groups are consistent"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Solving passwd and group consistency automatically may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

57
bin/hardening/13.12_users_valid_homedir.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.12 Check That Users Are Assigned Valid Home Directories (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
for LINE in $RESULT; do
debug "Working on $LINE"
USER=$(awk -F: {'print $1'} <<< $LINE)
USERID=$(awk -F: {'print $2'} <<< $LINE)
DIR=$(awk -F: {'print $3'} <<< $LINE)
if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" ]; then
crit "The home directory ($DIR) of user $USER does not exist."
ERRORS=$((ERRORS+1))
fi
done
if [ $ERRORS = 0 ]; then
ok "All home directories exists"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Modifying home directories may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

68
bin/hardening/13.13_check_user_homedir_ownership.sh Executable file
View File

@ -0,0 +1,68 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.13 Check User Home Directory Ownership (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
for LINE in $RESULT; do
debug "Working on $LINE"
USER=$(awk -F: {'print $1'} <<< $LINE)
USERID=$(awk -F: {'print $2'} <<< $LINE)
DIR=$(awk -F: {'print $3'} <<< $LINE)
if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
OWNER=$(stat -L -c "%U" "$DIR")
if [ "$OWNER" != "$USER" ]; then
crit "The home directory ($DIR) of user $USER is owned by $OWNER."
ERRORS=$((ERRORS+1))
fi
fi
done
if [ $ERRORS = 0 ]; then
ok "All home directories have correct ownership"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do
if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
OWNER=$(stat -L -c "%U" "$DIR")
if [ "$OWNER" != "$USER" ]; then
warn "The home directory ($DIR) of user $USER is owned by $OWNER."
chown $USER $DIR
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

57
bin/hardening/13.14_check_duplicate_uid.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.14 Check for Duplicate UIDs (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
for LINE in $RESULT; do
debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
USERID=$(awk -F: {'print $2'} <<< $LINE)
if [ $OCC_NUMBER -gt 1 ]; then
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERID /etc/passwd | xargs)
ERRORS=$((ERRORS+1))
crit "Duplicate UID ($USERID): ${USERS}"
fi
done
if [ $ERRORS = 0 ]; then
ok "No duplicate UIDs"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing automatically uids may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

57
bin/hardening/13.15_check_duplicate_gid.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.15 Check for Duplicate GIDs (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
for LINE in $RESULT; do
debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
GROUPID=$(awk -F: {'print $2'} <<< $LINE)
if [ $OCC_NUMBER -gt 1 ]; then
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPID /etc/passwd | xargs)
ERRORS=$((ERRORS+1))
crit "Duplicate GID ($GROUPID): ${USERS}"
fi
done
if [ $ERRORS = 0 ]; then
ok "No duplicate GIDs"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing automatically gids may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

57
bin/hardening/13.16_check_duplicate_username.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.16 Check for Duplicate User Names (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
for LINE in $RESULT; do
debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
USERNAME=$(awk -F: {'print $2'} <<< $LINE)
if [ $OCC_NUMBER -gt 1 ]; then
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs)
ERRORS=$((ERRORS+1))
crit "Duplicate username $USERNAME"
fi
done
if [ $ERRORS = 0 ]; then
ok "No duplicate usernames"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing automatically username may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

57
bin/hardening/13.17_check_duplicate_groupname.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.17 Check for Duplicate Group Names (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
for LINE in $RESULT; do
debug "Working on line $LINE"
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
GROUPNAME=$(awk -F: {'print $2'} <<< $LINE)
if [ $OCC_NUMBER -gt 1 ]; then
USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs)
ERRORS=$((ERRORS+1))
crit "Duplicate groupname $GROUPNAME"
fi
done
if [ $ERRORS = 0 ]; then
ok "No duplicate groupnames"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing automatically groupname may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

56
bin/hardening/13.18_find_user_netrc_files.sh Executable file
View File

@ -0,0 +1,56 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.18 Check for Presence of User .netrc Files (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
ERRORS=0
FILENAME='.netrc'
# This function will be called if the script status is on enabled / audit mode
audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR"
for FILE in $DIR/$FILENAME; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
crit "$FILE present"
ERRORS=$((ERRORS+1))
fi
done
done
if [ $ERRORS = 0 ]; then
ok "No $FILENAME present in users files"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "If the audit returns something, please check with the user why he has this file"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

56
bin/hardening/13.19_find_user_forward_files.sh Executable file
View File

@ -0,0 +1,56 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.19 Check for Presence of User .forward Files (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
ERRORS=0
FILENAME='.forward'
# This function will be called if the script status is on enabled / audit mode
audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR"
for FILE in $DIR/$FILENAME; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
crit "$FILE present"
ERRORS=$((ERRORS+1))
fi
done
done
if [ $ERRORS = 0 ]; then
ok "No $FILENAME present in users files"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "If the audit returns something, please check with the user why he has this file"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

59
bin/hardening/13.1_remove_empty_password_field.sh Executable file
View File

@ -0,0 +1,59 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.1 Ensure Password Fields are Not Empty (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/shadow'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have empty passwords"
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
if [ ! -z "$RESULT" ]; then
crit "Some accounts have empty passwords"
crit $RESULT
else
ok "All accounts have a password"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
if [ ! -z "$RESULT" ]; then
warn "Some accounts have empty passwords"
for ACCOUNT in $RESULT; do
info "Locking $ACCOUNT"
passwd -l $ACCOUNT >/dev/null 2>&1
done
else
ok "All accounts have a password"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

66
bin/hardening/13.20_shadow_group_empty.sh Executable file
View File

@ -0,0 +1,66 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.20 Ensure shadow group is empty (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
ERRORS=0
FILEGROUP='/etc/group'
PATTERN='^shadow:x:[[:digit:]]+:'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exists_in_file $FILEGROUP $PATTERN
if [ $FNRET = 0 ]; then
info "shadow group exists"
RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4)
GROUPID=$(getent group shadow | cut -d: -f3)
debug "$RESULT $GROUPID"
if [ ! -z "$RESULT" ]; then
crit "Some user belong to shadow group : $RESULT"
else
ok "No one belongs to shadow group"
fi
info "Checking if a user has $GROUPID as primary group"
RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd)
if [ ! -z "$RESULT" ]; then
crit "Some user have shadow id to their primary group : $RESULT"
else
ok "No one have shadow id to their primary group"
fi
else
crit "shadow group doesn't exist"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "If the audit returns something, please check with the user why he has this file"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

60
bin/hardening/13.2_remove_legacy_passwd_entries.sh Executable file
View File

@ -0,0 +1,60 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/passwd'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have empty passwords"
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
crit "Some accounts have legacy password entry"
crit $RESULT
else
ok "All accounts have a valid password entry format"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
warn "Some accounts have legacy password entry"
for LINE in $RESULT; do
info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE
done
else
ok "All accounts have a valid password entry format"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

60
bin/hardening/13.3_remove_legacy_shadow_entries.sh Executable file
View File

@ -0,0 +1,60 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/shadow'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have empty passwords"
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
crit "Some accounts have legacy password entry"
crit $RESULT
else
ok "All accounts have a valid password entry format"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
warn "Some accounts have legacy password entry"
for LINE in $RESULT; do
info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE
done
else
ok "All accounts have a valid password entry format"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

60
bin/hardening/13.4_remove_legacy_group_entries.sh Executable file
View File

@ -0,0 +1,60 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/group'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have empty passwords"
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
crit "Some accounts have legacy password entry"
crit $RESULT
else
ok "All accounts have a valid password entry format"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
warn "Some accounts have legacy password entry"
for LINE in $RESULT; do
info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE
done
else
ok "All accounts have a valid password entry format"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

64
bin/hardening/13.5_find_0_uid_non_root_account.sh Executable file
View File

@ -0,0 +1,64 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/passwd'
RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have uid 0"
RESULT=$(cat $FILE | awk -F: '($3 == 0 && $1!="root" ) { print $1 }')
for ACCOUNT in $RESULT; do
debug "Account : $ACCOUNT"
debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
debug "$ACCOUNT is confirmed as an exception"
RESULT=$(sed "s!$ACCOUNT!!" <<< "$RESULT")
else
debug "$ACCOUNT not found in exceptions"
fi
done
if [ ! -z "$RESULT" ]; then
crit "Some accounts have uid 0"
crit $RESULT
else
ok "No account with suid 0 apart root"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Removing accounts with uid 0 may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then
EXCEPTIONS="@"
fi
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

83
bin/hardening/13.6_sanitize_root_path.sh Executable file
View File

@ -0,0 +1,83 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.6 Ensure root PATH Integrity (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ "`echo $PATH | grep :: `" != "" ]; then
crit "Empty Directory in PATH (::)"
ERRORS=$((ERRORS+1))
fi
if [ "`echo $PATH | grep :$`" != "" ]; then
crit "Trailing : in PATH $PATH"
ERRORS=$((ERRORS+1))
fi
FORMATTED_PATH=$(echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
set -- $FORMATTED_PATH
while [ "${1:-}" != "" ]; do
if [ "$1" = "." ]; then
crit "PATH contains ."
ERRORS=$((ERRORS+1))
else
if [ -d $1 ]; then
dirperm=$(ls -ldH $1 | cut -f1 -d" ")
if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
crit "Group Write permission set on directory $1"
ERRORS=$((ERRORS+1))
fi
if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
crit "Other Write permission set on directory $1"
ERRORS=$((ERRORS+1))
fi
dirown=$(ls -ldH $1 | awk '{print $3}')
if [ "$dirown" != "root" ] ; then
crit "$1 is not owned by root"
ERRORS=$((ERRORS+1))
fi
else
crit "$1 is not a directory"
ERRORS=$((ERRORS+1))
fi
fi
shift
done
if [ $ERRORS = 0 ]; then
ok "root PATH is secure"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing items from PATH may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

108
bin/hardening/13.7_check_user_dir_perm.sh Executable file
View File

@ -0,0 +1,108 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.7 Check Permissions on User Home Directories (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $dir"
debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $dir"
if echo "$EXCEPTIONS" | grep -q $dir; then
debug "$dir is confirmed as an exception"
RESULT=$(sed "s!$dir!!" <<< "$RESULT")
else
debug "$dir not found in exceptions"
fi
if [ -d $dir ]; then
dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ")
if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
crit "Group Write permission set on directory $dir"
ERRORS=$((ERRORS+1))
fi
if [ $(echo $dirperm | cut -c8 ) != "-" ]; then
crit "Other Read permission set on directory $dir"
ERRORS=$((ERRORS+1))
fi
if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
crit "Other Write permission set on directory $dir"
ERRORS=$((ERRORS+1))
fi
if [ $(echo $dirperm | cut -c10 ) != "-" ]; then
crit "Other Execute permission set on directory $dir"
ERRORS=$((ERRORS+1))
fi
fi
done
if [ $ERRORS = 0 ]; then
ok "No incorrect permissions on home directories"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $dir"
debug "Exceptions : $EXCEPTIONS"
debug "echo \"$EXCEPTIONS\" | grep -q $dir"
if echo "$EXCEPTIONS" | grep -q $dir; then
debug "$dir is confirmed as an exception"
RESULT=$(sed "s!$dir!!" <<< "$RESULT")
else
debug "$dir not found in exceptions"
fi
if [ -d $dir ]; then
dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ")
if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
warn "Group Write permission set on directory $dir"
chmod g-w $dir
fi
if [ $(echo $dirperm | cut -c8 ) != "-" ]; then
warn "Other Read permission set on directory $dir"
chmod o-r $dir
fi
if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
warn "Other Write permission set on directory $dir"
chmod o-w $dir
fi
if [ $(echo $dirperm | cut -c10 ) != "-" ]; then
warn "Other Execute permission set on directory $dir"
chmod o-x $dir
fi
fi
done
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then
EXCEPTIONS="@"
fi
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

76
bin/hardening/13.8_check_user_dot_file_perm.sh Executable file
View File

@ -0,0 +1,76 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.8 Check User Dot File Permissions (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR"
for FILE in $DIR/.[A-Za-z0-9]*; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
crit "Group Write permission set on FILE $FILE"
ERRORS=$((ERRORS+1))
fi
if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
crit "Other Write permission set on FILE $FILE"
ERRORS=$((ERRORS+1))
fi
fi
done
done
if [ $ERRORS = 0 ]; then
ok "Dot file permission in users directories are correct"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
for FILE in $DIR/.[A-Za-z0-9]*; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
if [ $(echo $FILEPERM | cut -c6) != "-" ]; then
warn "Group Write permission set on FILE $FILE"
chmod g-w $FILE
fi
if [ $(echo $FILEPERM | cut -c9) != "-" ]; then
warn "Other Write permission set on FILE $FILE"
chmod o-w $FILE
fi
fi
done
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

75
bin/hardening/13.9_set_perm_on_user_netrc.sh Executable file
View File

@ -0,0 +1,75 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 13.9 Check Permissions on User .netrc Files (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PERMISSIONS="600"
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR"
for FILE in $DIR/.netrc; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE has not $PERMISSIONS permissions set"
ERRORS=$((ERRORS+1))
fi
fi
done
done
if [ $ERRORS = 0 ]; then
ok "permission $PERMISSIONS set on .netrc users files"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
debug "Working on $DIR"
for FILE in $DIR/.netrc; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
warn "$FILE has not $PERMISSIONS permissions set"
chmod 600 $FILE
fi
fi
done
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

80
bin/hardening/2.10_home_nodev.sh Executable file
View File

@ -0,0 +1,80 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.10 Add nodev Option to /home (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/home"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !"
FNRET=1
else
ok "$PARTITION have $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

68
bin/hardening/2.11_removable_device_nodev.sh Executable file
View File

@ -0,0 +1,68 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.11 Add nodev Option to Removable Media Partitions (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
# Quick factoring as many script use the same logic
PARTITION="/media\S*"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying if there is $PARTITION like partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
ok "There is no partition like $PARTITION"
FNRET=0
else
info "detected $PARTITION like"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !"
FNRET=1
else
ok "$PARTITION have $OPTION in fstab"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

68
bin/hardening/2.12_removable_device_noexec.sh Executable file
View File

@ -0,0 +1,68 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.12 Add noexec Option to Removable Media Partitions (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
# Quick factoring as many script use the same logic
PARTITION="/media\S*"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying if there is $PARTITION like partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
ok "There is no partition like $PARTITION"
FNRET=0
else
info "detected $PARTITION like"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !"
FNRET=1
else
ok "$PARTITION have $OPTION in fstab"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

68
bin/hardening/2.13_removable_device_nosuid.sh Executable file
View File

@ -0,0 +1,68 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.13 Add nosuid Option to Removable Media Partitions (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
# Quick factoring as many script use the same logic
PARTITION="/media\S*"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying if there is $PARTITION like partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
ok "There is no partition like $PARTITION"
FNRET=0
else
info "detected $PARTITION like"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !"
FNRET=1
else
ok "$PARTITION have $OPTION in fstab"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

80
bin/hardening/2.14_run_shm_nodev.sh Executable file
View File

@ -0,0 +1,80 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.14 Add nodev Option to /run/shm Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/run/shm"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !"
FNRET=1
else
ok "$PARTITION have $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

80
bin/hardening/2.15_run_shm_nosuid.sh Executable file
View File

@ -0,0 +1,80 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.15 Add nosuid Option to /run/shm Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/run/shm"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !"
FNRET=1
else
ok "$PARTITION have $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

80
bin/hardening/2.16_run_shm_noexec.sh Executable file
View File

@ -0,0 +1,80 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.16 Add noexec Option to /run/shm Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/run/shm"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !"
FNRET=1
else
ok "$PARTITION have $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

55
bin/hardening/2.17_sticky_bit_world_writable_folder.sh Executable file
View File

@ -0,0 +1,55 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.17 Set Sticky Bit on All World-Writable Directories (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if setuid is set on world writable Directories"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode !"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "All world writable directories have a sticky bit"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
else
ok "All world writable directories have a sticky bit, nothing to apply"
fi
}
# This function will check config parameters required
check_config() {
# No param for this function
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

57
bin/hardening/2.18_disable_cramfs.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.18 Disable Mounting of cramfs Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="cramfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled !"
else
ok "$KERNEL_OPTION is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

57
bin/hardening/2.19_disable_freevxfs.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.19 Disable Mounting of freevxfs Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="freevxfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled !"
else
ok "$KERNEL_OPTION is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

69
bin/hardening/2.1_tmp_partition.sh Executable file
View File

@ -0,0 +1,69 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.1 Create Separate Partition for /tmp (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/tmp"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

57
bin/hardening/2.20_disable_jffs2.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.20 Disable Mounting of jffs2 Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="jffs2"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled !"
else
ok "$KERNEL_OPTION is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

57
bin/hardening/2.21_disable_hfs.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.21 Disable Mounting of hfs Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="hfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled !"
else
ok "$KERNEL_OPTION is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

57
bin/hardening/2.22_disable_hfsplus.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.22 Disable Mounting of hfsplus Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="hfsplus"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled !"
else
ok "$KERNEL_OPTION is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

57
bin/hardening/2.23_disable_squashfs.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.23 Disable Mounting of squashfs Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="squashfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled !"
else
ok "$KERNEL_OPTION is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

57
bin/hardening/2.24_disable_udf.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.24 Disable Mounting of udf Filesystems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="udf"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled !"
else
ok "$KERNEL_OPTION is disabled"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled $KERNEL_OPTION
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please"
else
ok "$KERNEL_OPTION is disabled, nothing to do"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

56
bin/hardening/2.25_disable_automounting.sh Executable file
View File

@ -0,0 +1,56 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.25 Disable Automounting (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
SERVICE_NAME="autofs"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled $SERVICE_NAME
if [ $FNRET = 0 ]; then
crit "$SERVICE_NAME is enabled"
else
ok "$SERVICE_NAME is disabled"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Checking if $SERVICE_NAME is enabled"
is_service_enabled $SERVICE_NAME
if [ $FNRET = 0 ]; then
info "Disabling $SERVICE_NAME"
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
else
ok "$SERVICE_NAME is disabled"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

80
bin/hardening/2.2_tmp_nodev.sh Executable file
View File

@ -0,0 +1,80 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.2 Set nodev option for /tmp Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !"
FNRET=1
else
ok "$PARTITION have $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

80
bin/hardening/2.3_tmp_nosuid.sh Executable file
View File

@ -0,0 +1,80 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.3 Set nosuid option for /tmp Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !"
FNRET=1
else
ok "$PARTITION have $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

80
bin/hardening/2.4_tmp_noexec.sh Executable file
View File

@ -0,0 +1,80 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.4 Set noexec option for /tmp Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !"
FNRET=1
else
ok "$PARTITION have $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

69
bin/hardening/2.5_var_partition.sh Executable file
View File

@ -0,0 +1,69 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.5 Create Separate Partition for /var (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/var"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

69
bin/hardening/2.6.1_var_tmp_partition.sh Executable file
View File

@ -0,0 +1,69 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.6.1 Create Separate Partition for /var/tmp (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

80
bin/hardening/2.6.2_var_tmp_nodev.sh Executable file
View File

@ -0,0 +1,80 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.6.2 Set nodev option for /var/tmp Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
OPTION="nodev"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !"
FNRET=1
else
ok "$PARTITION have $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

80
bin/hardening/2.6.3_var_tmp_nosuid.sh Executable file
View File

@ -0,0 +1,80 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.6.3 Set nosuid option for /var/tmp Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
OPTION="nosuid"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !"
FNRET=1
else
ok "$PARTITION have $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

80
bin/hardening/2.6.4_var_tmp_noexec.sh Executable file
View File

@ -0,0 +1,80 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.6.4 Set noexec option for /var/tmp Partition (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
OPTION="noexec"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
has_mount_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
crit "$PARTITION have no option $OPTION in fstab !"
FNRET=1
else
ok "$PARTITION have $OPTION in fstab"
has_mounted_option $PARTITION $OPTION
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted with $OPTION at runtime"
FNRET=3
else
ok "$PARTITION mounted with $OPTION"
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
elif [ $FNRET = 1 ]; then
info "Adding $OPTION to fstab"
add_option_to_fstab $PARTITION $OPTION
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
elif [ $FNRET = 3 ]; then
info "Remounting $PARTITION from fstab"
remount_partition $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No param for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

69
bin/hardening/2.7_var_log_partition.sh Executable file
View File

@ -0,0 +1,69 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.7 Create Separate Partition for /var/log (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/var/log"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

69
bin/hardening/2.8_var_log_audit_partition.sh Executable file
View File

@ -0,0 +1,69 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.8 Create Separate Partition for /var/log/audit (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

69
bin/hardening/2.9_home_partition.sh Executable file
View File

@ -0,0 +1,69 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 2.9 Create Separate Partition for /home (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Quick factoring as many script use the same logic
PARTITION="/home"
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Verifying that $PARTITION is a partition"
FNRET=0
is_a_partition "$PARTITION"
if [ $FNRET -gt 0 ]; then
crit "$PARTITION is not a partition"
FNRET=2
else
ok "$PARTITION is a partition"
is_mounted "$PARTITION"
if [ $FNRET -gt 0 ]; then
warn "$PARTITION is not mounted"
FNRET=1
else
ok "$PARTITION is mounted"
fi
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PARTITION is correctly set"
elif [ $FNRET = 2 ]; then
crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here"
else
info "mounting $PARTITION"
mount $PARTITION
fi
}
# This function will check config parameters required
check_config() {
# No parameter for this script
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

78
bin/hardening/3.1_bootloader_ownership.sh Executable file
View File

@ -0,0 +1,78 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 3.1 Set User/Group Owner on bootloader config (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Assertion : Grub Based.
FILE='/boot/grub/grub.cfg'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE is not $USER:$GROUP ownership set"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
}
# This function will check config parameters required
check_config() {
is_pkg_installed "grub-pc"
if [ $FNRET != 0 ]; then
warn "Grub is not installed, not handling configuration"
exit 128
fi
does_user_exist $USER
if [ $FNRET != 0 ]; then
crit "$USER does not exist"
exit 128
fi
does_group_exist $GROUP
if [ $FNRET != 0 ]; then
crit "$GROUP does not exist"
exit 128
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

65
bin/hardening/3.2_bootloader_permissions.sh Executable file
View File

@ -0,0 +1,65 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 3.2 Set Permissions on bootloader config (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Assertion : Grub Based.
FILE='/boot/grub/grub.cfg'
PERMISSIONS='400'
# This function will be called if the script status is on enabled / audit mode
audit () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE has not $PERMISSIONS permissions set"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
is_pkg_installed "grub-pc"
if [ $FNRET != 0 ]; then
warn "grub-pc is not installed, not handling configuration"
exit 128
fi
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

76
bin/hardening/3.3_bootloader_password.sh Executable file
View File

@ -0,0 +1,76 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 3.3 Set Boot Loader Password (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/boot/grub/grub.cfg'
USER_PATTERN="^set superusers"
PWD_PATTERN="^password_pbkdf2"
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exists_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then
crit "$USER_PATTERN not present in $FILE"
else
ok "$USER_PATTERN is present in $FILE"
fi
does_pattern_exists_in_file $FILE "$PWD_PATTERN"
if [ $FNRET != 0 ]; then
crit "$PWD_PATTERN not present in $FILE"
else
ok "$PWD_PATTERN is present in $FILE"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exists_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then
warn "$USER_PATTERN not present in $FILE, please configure password for grub"
else
ok "$USER_PATTERN is present in $FILE"
fi
does_pattern_exists_in_file $FILE "$PWD_PATTERN"
if [ $FNRET != 0 ]; then
warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
else
ok "$PWD_PATTERN is present in $FILE"
fi
:
}
# This function will check config parameters required
check_config() {
is_pkg_installed "grub-pc"
if [ $FNRET != 0 ]; then
warn "grub-pc is not installed, not handling configuration"
exit 128
fi
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
exit 128
fi
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

55
bin/hardening/3.4_root_password.sh Executable file
View File

@ -0,0 +1,55 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 3.4 Require Authentication for Single-User Mode (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE="/etc/shadow"
PATTERN="^root:[*\!]:"
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET != 1 ]; then
crit "$PATTERN present in $FILE"
else
ok "$PATTERN not present in $FILE"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET != 1 ]; then
warn "$PATTERN present in $FILE, please put a root password"
else
ok "$PATTERN not present in $FILE"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

75
bin/hardening/4.1_restrict_core_dumps.sh Executable file
View File

@ -0,0 +1,75 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 4.1 Restrict Core Dumps (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
LIMIT_FILE='/etc/security/limits.conf'
LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
SYSCTL_PARAM='fs.suid_dumpable'
SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exists_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ $FNRET != 0 ]; then
crit "$LIMIT_PATTERN not present in $LIMIT_FILE"
else
ok "$LIMIT_PATTERN present in $LIMIT_FILE"
fi
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exists_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ $FNRET != 0 ]; then
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, addning at the end of $LIMIT_FILE"
add_end_of_file $LIMIT_FILE "* hard core 0"
else
ok "$LIMIT_PATTERN present in $LIMIT_FILE"
fi
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

53
bin/hardening/4.2_enable_nx_support.sh Executable file
View File

@ -0,0 +1,53 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exists_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then
crit "$PATTERN not present in dmesg"
else
ok "$PATTERN present in dmesg"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exists_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then
crit "$PATTERN not present in dmesg, please go to the bios to activate this option or change for CPU compatible"
else
ok "$PATTERN present in dmesg"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

59
bin/hardening/4.3_enable_randomized_vm_placement.sh Executable file
View File

@ -0,0 +1,59 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 4.3 Enable Randomized Virtual Memory Region Placement (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
SYSCTL_PARAM='kernel.randomize_va_space'
SYSCTL_EXP_RESULT=2
# This function will be called if the script status is on enabled / audit mode
audit () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !"
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
if [ $FNRET != 0 ]; then
warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it"
set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
elif [ $FNRET = 255 ]; then
warn "$SYSCTL_PARAM does not exist, typo ?"
else
ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

58
bin/hardening/4.4_disable_prelink.sh Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 4.4 Disable Prelink (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGE='prelink'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed !"
else
ok "$PACKAGE is absent"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
/usr/sbin/prelink -ua
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

55
bin/hardening/4.5_enable_apparmor.sh Executable file
View File

@ -0,0 +1,55 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 4.5 Activate AppArmor (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGE='apparmor'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is absent !"
else
ok "$PACKAGE is installed"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
else
ok "$PACKAGE is installed"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

56
bin/hardening/5.1.1_disable_nis.sh Executable file
View File

@ -0,0 +1,56 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.1.1 Ensure NIS is not installed (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGE='nis'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed !"
else
ok "$PACKAGE is absent"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

88
bin/hardening/5.1.2_disable_rsh.sh Executable file
View File

@ -0,0 +1,88 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.1.2 Ensure rsh server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Based on aptitude search '~Prsh-server'
PACKAGES='rsh-server rsh-redone-server heimdal-servers'
FILE='/etc/inetd.conf'
PATTERN='^(shell|login|exec)'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled !"
else
ok "$PATTERN not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN not present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

60
bin/hardening/5.1.3_disable_rsh_client.sh Executable file
View File

@ -0,0 +1,60 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.1.3 Ensure rsh client is not installed (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Based on aptitude search '~Prsh-client', exluding ssh-client OFC
PACKAGES='rsh-client rsh-redone-client heimdal-clients'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

87
bin/hardening/5.1.4_disable_talk.sh Executable file
View File

@ -0,0 +1,87 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.1.4 Ensure talk server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGES='inetutils-talkd talkd'
FILE='/etc/inetd.conf'
PATTERN='^(talk|ntalk)'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled !"
else
ok "$PATTERN not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN not present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

59
bin/hardening/5.1.5_disable_talk_client.sh Executable file
View File

@ -0,0 +1,59 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.1.5 Ensure talk client is not installed (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGES='talk inetutils-talk'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

88
bin/hardening/5.1.6_disable_telnet_server.sh Executable file
View File

@ -0,0 +1,88 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.1.6 Ensure telnet server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Based on aptitude search '~Ptelnet-server'
PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
FILE='/etc/inetd.conf'
PATTERN='^telnet'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled !"
else
ok "$PATTERN not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN not present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

88
bin/hardening/5.1.7_disable_tftp_server.sh Executable file
View File

@ -0,0 +1,88 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.1.7 Ensure tftp-server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGES='tftpd tftpd-hpa atftpd'
FILE='/etc/inetd.conf'
PATTERN='^tftp'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled !"
else
ok "$PATTERN not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
echo "coucou"
else
ok "$PATTERN not present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

59
bin/hardening/5.1.8_disable_inetd.sh Executable file
View File

@ -0,0 +1,59 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.1.8 Ensure xinetd is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGES='openbsd-inetd xinetd rlinetd'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

68
bin/hardening/5.2_disable_chargen.sh Executable file
View File

@ -0,0 +1,68 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.2 Ensure chargen is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/inetd.conf'
PATTERN='^chargen'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen services are enabled !"
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

68
bin/hardening/5.3_disable_daytime.sh Executable file
View File

@ -0,0 +1,68 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.3 Ensure daytime is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/inetd.conf'
PATTERN='^daytime'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen services are enabled !"
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

68
bin/hardening/5.4_disable_echo.sh Executable file
View File

@ -0,0 +1,68 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.4 Ensure echo is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/inetd.conf'
PATTERN='^echo'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen services are enabled !"
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

68
bin/hardening/5.5_disable_discard.sh Executable file
View File

@ -0,0 +1,68 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.5 Ensure discard is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/inetd.conf'
PATTERN='^discard'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen services are enabled !"
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

68
bin/hardening/5.6_disable_time.sh Executable file
View File

@ -0,0 +1,68 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.6 Ensure time is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/inetd.conf'
PATTERN='^time'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen services are enabled !"
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

60
bin/hardening/6.10_disable_http_server.sh Executable file
View File

@ -0,0 +1,60 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 6.10 Ensure HTTP Server is not enabled (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Based on aptitude search '~Phttpd'
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed !"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

60
bin/hardening/6.11_disable_imap_pop.sh Executable file
View File

@ -0,0 +1,60 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 6.11 Ensure IMAP and POP server is not enabled (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server'
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed !"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

59
bin/hardening/6.12_disable_samba.sh Executable file
View File

@ -0,0 +1,59 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 6.12 Ensure Samba is not enabled (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGES='samba'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed !"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

59
bin/hardening/6.13_diable_http_proxy.sh Executable file
View File

@ -0,0 +1,59 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 6.13 Ensure HTTP Proxy Server is not enabled (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGES='squid3 squid'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed !"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

59
bin/hardening/6.14_disable_snmp_server.sh Executable file
View File

@ -0,0 +1,59 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 6.14 Ensure SNMP Server is not enabled (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGES='snmpd'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed !"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
apt-get autoremove
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

66
bin/hardening/6.15_mta_localhost.sh Executable file
View File

@ -0,0 +1,66 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking netport ports opened"
eval 'RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]")'
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else
info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<< $RESULT); then
ok "MTA is configured to localhost only"
else
crit "MTA listens worldwide"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Checking netport ports opened"
eval 'RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]")'
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then
ok "Nothing listens on 25 port, probably unix socket configured"
else
info "Checking $RESULT"
if $(grep -q "127.0.0.1" <<< $RESULT); then
ok "MTA is configured to localhost only"
else
warn "MTA listens worldwide, correct this considering your MTA"
fi
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

Some files were not shown because too many files have changed in this diff Show More