diff --git a/README b/README index 4d4935b..70d130e 100644 --- a/README +++ b/README @@ -1,2 +1,13 @@ # CIS Debian 7 Hardening git repository +# Authors : Thibault Dewailly, OVH # This is the code base which will be used to fill CIS hardening requirements + +# Hardening scripts : +# bin/hardening : Every script has a .cfg associated, status must be defined here + +# Main script : +# bin/hardening.sh : Will execute hardening according to configuration + +# Configuration +# etc/hardening.cfg : Global variables defined such as backup directory, or log level +# etc/conf.d : Folder with all .cfg associated to hardenign scripts diff --git a/bin/hardening.sh b/bin/hardening.sh new file mode 100755 index 0000000..27c2b8b --- /dev/null +++ b/bin/hardening.sh @@ -0,0 +1,118 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# Main script : Execute hardening considering configuration +# + +LONG_SCRIPT_NAME=$(basename $0) +SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} +DISABLED_CHECKS=0 +PASSED_CHECKS=0 +FAILED_CHECKS=0 +TOTAL_CHECKS=0 +TOTAL_TREATED_CHECKS=0 +AUDIT=0 +APPLY=0 + +usage() { + cat << EOF +$LONG_SCRIPT_NAME ( --apply | -- audit ) < -h | --help > + --apply : Apply hardening if told in configuration + --audit : If script not disabled, audit configuration only + -h|--help : This help +EOF + exit 0 +} + +if [ $# = 0 ]; then + usage +fi + +# Arguments parsing +while [[ $# > 0 ]]; do + ARG="$1" + case $ARG in + --audit) + AUDIT=1 + ;; + --apply) + APPLY=1 + ;; + -h|--help) + usage + ;; + *) + usage + ;; + esac + shift +done + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh +[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg +[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh +[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh + +# Parse every scripts and execute them in the required mode +for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening | sort -V); do + info "Treating $SCRIPT" + + if [ $AUDIT = 1 ]; then + debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit" + $CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit + elif [ $APPLY = 1 ]; then + debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT" + $CIS_ROOT_DIR/bin/hardening/$SCRIPT + fi + + SCRIPT_EXITCODE=$? + + debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE" + case $SCRIPT_EXITCODE in + 0) + debug "$SCRIPT passed" + PASSED_CHECKS=$((PASSED_CHECKS+1)) + ;; + 1) + debug "$SCRIPT failed" + FAILED_CHECKS=$((FAILED_CHECKS+1)) + ;; + 2) + debug "$SCRIPT is disabled" + DISABLED_CHECKS=$((DISABLED_CHECKS+1)) + ;; + esac + + TOTAL_CHECKS=$((TOTAL_CHECKS+1)) + +done + +TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS)) + +printf "%40s\n" "################### SUMMARY ###################" +printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS" +printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS" +printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS" +printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS" +printf "%30s %.2f %%\n" "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)" +if [ $TOTAL_TREATED_CHECKS != 0 ]; then + printf "%30s %.2f %%\n" "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)" +else + printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0 +fi diff --git a/bin/hardening/1.1_install_updates.sh b/bin/hardening/1.1_install_updates.sh new file mode 100755 index 0000000..63acf4d --- /dev/null +++ b/bin/hardening/1.1_install_updates.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 1.1 Install Updates, Patches and Additional Security Software (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if apt needs an update" + apt_update_if_needed + info "Fetching upgrades ..." + apt_check_updates "CIS_APT" + if [ $FNRET -gt 0 ]; then + crit "$RESULT" + FNRET=1 + else + ok "No upgrades available" + FNRET=0 + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET -gt 0 ]; then + info "Applying Upgrades..." + DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y + else + ok "No Upgrades to apply" + fi +} + +# This function will check config parameters required +check_config() { + # No parameters for this function + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.1.1_set_password_exp_days.sh b/bin/hardening/10.1.1_set_password_exp_days.sh new file mode 100755 index 0000000..039bb5c --- /dev/null +++ b/bin/hardening/10.1.1_set_password_exp_days.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 10.1.1 Set Password Expiration Days (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='login' +OPTIONS='PASS_MAX_DAYS=90' +FILE='/etc/login.defs' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.1.2_set_password_min_days_change.sh b/bin/hardening/10.1.2_set_password_min_days_change.sh new file mode 100755 index 0000000..cc0cdd8 --- /dev/null +++ b/bin/hardening/10.1.2_set_password_min_days_change.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 10.1.2 Set Password Change Minimum Number of Days (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='login' +OPTIONS='PASS_MIN_DAYS=7' +FILE='/etc/login.defs' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.1.3_set_password_exp_warning_days.sh b/bin/hardening/10.1.3_set_password_exp_warning_days.sh new file mode 100755 index 0000000..cef3353 --- /dev/null +++ b/bin/hardening/10.1.3_set_password_exp_warning_days.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 10.1.3 Set Password Expiring Warning Days (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='login' +OPTIONS='PASS_MIN_DAYS=7' +FILE='/etc/login.defs' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.2_disable_system_accounts.sh b/bin/hardening/10.2_disable_system_accounts.sh new file mode 100755 index 0000000..ab1ac15 --- /dev/null +++ b/bin/hardening/10.2_disable_system_accounts.sh @@ -0,0 +1,90 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 10.2 Disable System Accounts (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SHELL='/bin/false' +FILE='/etc/passwd' +RESULT='' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if admin accounts have login different from $SHELL" + RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}') + for LINE in $RESULT; do + debug "line : $LINE" + ACCOUNT=$( echo $LINE | cut -d: -f 1 ) + debug "Account : $ACCOUNT" + debug "Exceptions : $EXCEPTIONS" + debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT" + if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then + debug "$ACCOUNT is confirmed as an exception" + RESULT=$(sed "s!$LINE!!" <<< "$RESULT") + else + debug "$ACCOUNT not found in exceptions" + fi + done + if [ ! -z "$RESULT" ]; then + crit "Some admin accounts have not $SHELL as shell" + crit "$RESULT" + else + ok "All admin accounts deactivated" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}') + for LINE in $RESULT; do + debug "line : $LINE" + ACCOUNT=$( echo $LINE | cut -d: -f 1 ) + debug "Account : $ACCOUNT" + debug "Exceptions : $EXCEPTIONS" + debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT" + if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then + debug "$ACCOUNT is confirmed as an exception" + RESULT=$(sed "s!$LINE!!" <<< "$RESULT") + else + debug "$ACCOUNT not found in exceptions" + fi + done + if [ ! -z "$RESULT" ]; then + warn "Some admin accounts have not $SHELL as shell" + warn "$RESULT" + for USER in $( echo "$RESULT" | cut -d: -f 1 ); do + info "Setting $SHELL to $USER" + usermod -s $SHELL $USER + done + else + ok "All admin accounts deactivated, nothing to apply" + fi +} + +# This function will check config parameters required +check_config() { + if [ -z "$EXCEPTIONS" ]; then + EXCEPTIONS="@" + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.3_default_root_group.sh b/bin/hardening/10.3_default_root_group.sh new file mode 100755 index 0000000..f2e5364 --- /dev/null +++ b/bin/hardening/10.3_default_root_group.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 10.3 Set Default Group for root Account (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +USER='root' +EXPECTED_GID='0' + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then + ok "Root group has GID $EXPECTED_GID" + else + crit "Root group has not GID $EXPECTED_GID" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then + ok "Root group has GID $EXPECTED_GID" + else + warn "Root group has not GID $EXPECTED_GID" + usermod -g $EXPECTED_GID $USER + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.4_default_umask.sh b/bin/hardening/10.4_default_umask.sh new file mode 100755 index 0000000..6b30f3e --- /dev/null +++ b/bin/hardening/10.4_default_umask.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 10.4 Set Default umask for Users (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +USER='root' +PATTERN='umask 077' +FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile' +FILE='/etc/profile.d/CIS_10.4_umask.sh' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILES_TO_SEARCH" + else + ok "$PATTERN present in $FILES_TO_SEARCH" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILES_TO_SEARCH" + touch $FILE + chmod 644 $FILE + add_end_of_file $FILE "$PATTERN" + else + ok "$PATTERN present in $FILES_TO_SEARCH" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.5_lock_inactive_user_account.sh b/bin/hardening/10.5_lock_inactive_user_account.sh new file mode 100755 index 0000000..6208f75 --- /dev/null +++ b/bin/hardening/10.5_lock_inactive_user_account.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 10.5 Lock Inactive User Accounts (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Looking at the manual of useradd, it seems that this recommendation does not fill the title" + info "The number of days after a password expires until the account is permanently disabled." + info "Which is not inactive users per se" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Looking at the manual of useradd, it seems that this recommendation does not fill the title" + info "The number of days after a password expires until the account is permanently disabled." + info "Which is not inactive users per se" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/11.1_warning_banners.sh b/bin/hardening/11.1_warning_banners.sh new file mode 100755 index 0000000..8285edf --- /dev/null +++ b/bin/hardening/11.1_warning_banners.sh @@ -0,0 +1,79 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 11.1 Set Warning Banner for Standard Login Services (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PERMISSIONS='644' +USER='root' +GROUP='root' +FILES='/etc/motd /etc/issue /etc/issue.net' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for FILE in $FILES; do + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for FILE in $FILES; do + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/11.2_remove_os_info_warning_banners.sh b/bin/hardening/11.2_remove_os_info_warning_banners.sh new file mode 100755 index 0000000..a622644 --- /dev/null +++ b/bin/hardening/11.2_remove_os_info_warning_banners.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 11.2 Remove OS Information from Login Warning Banners (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILES='/etc/motd /etc/issue /etc/issue.net' +PATTERN='(\\v|\\r|\\m|\\s)' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for FILE in $FILES; do + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + crit "$PATTERN is present in $FILE" + else + ok "$PATTERN is not present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for FILE in $FILES; do + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + warn "$PATTERN is present in $FILE" + delete_line_in_file $FILE $PATTERN + else + ok "$PATTERN is not present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/11.3_graphical_warning_banners.sh b/bin/hardening/11.3_graphical_warning_banners.sh new file mode 100755 index 0000000..5dee2bb --- /dev/null +++ b/bin/hardening/11.3_graphical_warning_banners.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 11.3 Set Graphical Warning Banner (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.10_find_suid_files.sh b/bin/hardening/12.10_find_suid_files.sh new file mode 100755 index 0000000..6495b6a --- /dev/null +++ b/bin/hardening/12.10_find_suid_files.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 12.10 Find SUID System Executables (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if there is suid files" + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 -print) + for BINARY in $RESULT; do + if grep -q $BINARY <<< "$EXCEPTIONS"; then + debug "$BINARY is confirmed as an exception" + RESULT=$(sed "s!$BINARY!!" <<< $RESULT) + fi + done + if [ ! -z "$RESULT" ]; then + crit "Some suid files are present" + FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + crit "$FORMATTED_RESULT" + else + ok "No unknown suid files found" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Removing suid on valid binary may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + # No param for this function + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.11_find_sgid_files.sh b/bin/hardening/12.11_find_sgid_files.sh new file mode 100755 index 0000000..0ca7f66 --- /dev/null +++ b/bin/hardening/12.11_find_sgid_files.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 12.11 Find SGID System Executables (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if there is sgid files" + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 -print) + for BINARY in $RESULT; do + if grep -q $BINARY <<< "$EXCEPTIONS"; then + debug "$BINARY is confirmed as an exception" + RESULT=$(sed "s!$BINARY!!" <<< $RESULT) + fi + done + if [ ! -z "$RESULT" ]; then + crit "Some sgid files are present" + FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + crit "$FORMATTED_RESULT" + else + ok "No unknown sgid files found" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Removing sgid on valid binary may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + if [ -z "$EXCEPTIONS" ]; then + EXCEPTIONS="@" + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.1_etc_passwd_permissions.sh b/bin/hardening/12.1_etc_passwd_permissions.sh new file mode 100755 index 0000000..249c5d0 --- /dev/null +++ b/bin/hardening/12.1_etc_passwd_permissions.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 12.1 Verify Permissions on /etc/passwd (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/passwd' +PERMISSIONS='644' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.2_etc_shadow_permissions.sh b/bin/hardening/12.2_etc_shadow_permissions.sh new file mode 100755 index 0000000..7f51c02 --- /dev/null +++ b/bin/hardening/12.2_etc_shadow_permissions.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 12.2 Verify Permissions on /etc/shadow (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/shadow' +PERMISSIONS='640' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.3_etc_group_permissions.sh b/bin/hardening/12.3_etc_group_permissions.sh new file mode 100755 index 0000000..a3bdae1 --- /dev/null +++ b/bin/hardening/12.3_etc_group_permissions.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 12.3 Verify Permissions on /etc/group (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/group' +PERMISSIONS='644' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.4_etc_passwd_ownership.sh b/bin/hardening/12.4_etc_passwd_ownership.sh new file mode 100755 index 0000000..51eb6da --- /dev/null +++ b/bin/hardening/12.4_etc_passwd_ownership.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 12.4 Verify User/Group Ownership on /etc/passwd (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/passwd' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.5_etc_shadow_ownership.sh b/bin/hardening/12.5_etc_shadow_ownership.sh new file mode 100755 index 0000000..2e5ec7c --- /dev/null +++ b/bin/hardening/12.5_etc_shadow_ownership.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 12.5 Verify User/Group Ownership on /etc/shadow (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/shadow' +USER='root' +GROUP='shadow' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.6_etc_group_ownership.sh b/bin/hardening/12.6_etc_group_ownership.sh new file mode 100755 index 0000000..e89d807 --- /dev/null +++ b/bin/hardening/12.6_etc_group_ownership.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 12.6 Verify User/Group Ownership on /etc/group (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/group' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.7_find_world_writable_file.sh b/bin/hardening/12.7_find_world_writable_file.sh new file mode 100755 index 0000000..ec8d6f9 --- /dev/null +++ b/bin/hardening/12.7_find_world_writable_file.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 12.7 Find World Writable Files (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if there is world writable files" + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) + if [ ! -z "$RESULT" ]; then + crit "Some world writable file are present" + FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + crit "$FORMATTED_RESULT" + else + ok "No world writable files found" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) + if [ ! -z "$RESULT" ]; then + warn "chmoding o-w all files in the system" + df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null| xargs chmod o-w + else + ok "No world writable files found, nothing to apply" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this function + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.8_find_unowned_files.sh b/bin/hardening/12.8_find_unowned_files.sh new file mode 100755 index 0000000..db6858d --- /dev/null +++ b/bin/hardening/12.8_find_unowned_files.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 12.8 Find Un-owned Files and Directories (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +USER='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if there is unowned files" + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null) + if [ ! -z "$RESULT" ]; then + crit "Some world writable file are present" + FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + crit "$FORMATTED_RESULT" + else + ok "No world writable files found" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null) + if [ ! -z "$RESULT" ]; then + warn "chmowing all unowned files in the system" + df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER + else + ok "No world writable files found, nothing to apply" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this function + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.9_find_ungrouped_files.sh b/bin/hardening/12.9_find_ungrouped_files.sh new file mode 100755 index 0000000..f1ed3c5 --- /dev/null +++ b/bin/hardening/12.9_find_ungrouped_files.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 12.9 Find Un-grouped Files and Directories (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if there is unowned files" + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null) + if [ ! -z "$RESULT" ]; then + crit "Some world writable file are present" + FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + crit "$FORMATTED_RESULT" + else + ok "No world writable files found" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null) + if [ ! -z "$RESULT" ]; then + warn "chmowing all ungrouped files in the system" + df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP + else + ok "No world writable files found, nothing to apply" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this function + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.10_find_user_rhosts_files.sh b/bin/hardening/13.10_find_user_rhosts_files.sh new file mode 100755 index 0000000..93aa00e --- /dev/null +++ b/bin/hardening/13.10_find_user_rhosts_files.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.10 Check for Presence of User .rhosts Files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 +FILENAME=".rhosts" + +# This function will be called if the script status is on enabled / audit mode +audit () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/$FILENAME; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + crit "$FILE present" + ERRORS=$((ERRORS+1)) + fi + done + done + + if [ $ERRORS = 0 ]; then + ok "No $FILENAME present in users files" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "If the audit returns something, please check with the user why he has this file" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.11_find_passwd_group_inconsistencies.sh b/bin/hardening/13.11_find_passwd_group_inconsistencies.sh new file mode 100755 index 0000000..1ee48b1 --- /dev/null +++ b/bin/hardening/13.11_find_passwd_group_inconsistencies.sh @@ -0,0 +1,54 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.11 Check Groups in /etc/passwd (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + + for GROUP in $(cut -s -d: -f4 /etc/passwd | sort -u ); do + debug "Working on group $GROUP" + if ! grep -q -P "^.*?:[^:]*:$GROUP:" /etc/group; then + crit "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group" + ERRORS=$((ERRORS+1)) + fi + done + + if [ $ERRORS = 0 ]; then + ok "passwd and group Groups are consistent" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Solving passwd and group consistency automatically may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.12_users_valid_homedir.sh b/bin/hardening/13.12_users_valid_homedir.sh new file mode 100755 index 0000000..f267331 --- /dev/null +++ b/bin/hardening/13.12_users_valid_homedir.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.12 Check That Users Are Assigned Valid Home Directories (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') + for LINE in $RESULT; do + debug "Working on $LINE" + USER=$(awk -F: {'print $1'} <<< $LINE) + USERID=$(awk -F: {'print $2'} <<< $LINE) + DIR=$(awk -F: {'print $3'} <<< $LINE) + if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" ]; then + crit "The home directory ($DIR) of user $USER does not exist." + ERRORS=$((ERRORS+1)) + fi + done + + if [ $ERRORS = 0 ]; then + ok "All home directories exists" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Modifying home directories may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.13_check_user_homedir_ownership.sh b/bin/hardening/13.13_check_user_homedir_ownership.sh new file mode 100755 index 0000000..206f56b --- /dev/null +++ b/bin/hardening/13.13_check_user_homedir_ownership.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.13 Check User Home Directory Ownership (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') + for LINE in $RESULT; do + debug "Working on $LINE" + USER=$(awk -F: {'print $1'} <<< $LINE) + USERID=$(awk -F: {'print $2'} <<< $LINE) + DIR=$(awk -F: {'print $3'} <<< $LINE) + if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then + OWNER=$(stat -L -c "%U" "$DIR") + if [ "$OWNER" != "$USER" ]; then + crit "The home directory ($DIR) of user $USER is owned by $OWNER." + ERRORS=$((ERRORS+1)) + fi + fi + done + + if [ $ERRORS = 0 ]; then + ok "All home directories have correct ownership" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do + if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then + OWNER=$(stat -L -c "%U" "$DIR") + if [ "$OWNER" != "$USER" ]; then + warn "The home directory ($DIR) of user $USER is owned by $OWNER." + chown $USER $DIR + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.14_check_duplicate_uid.sh b/bin/hardening/13.14_check_duplicate_uid.sh new file mode 100755 index 0000000..4de08fc --- /dev/null +++ b/bin/hardening/13.14_check_duplicate_uid.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.14 Check for Duplicate UIDs (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + RESULT=$(cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) + for LINE in $RESULT; do + debug "Working on line $LINE" + OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) + USERID=$(awk -F: {'print $2'} <<< $LINE) + if [ $OCC_NUMBER -gt 1 ]; then + USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERID /etc/passwd | xargs) + ERRORS=$((ERRORS+1)) + crit "Duplicate UID ($USERID): ${USERS}" + fi + done + + if [ $ERRORS = 0 ]; then + ok "No duplicate UIDs" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Editing automatically uids may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.15_check_duplicate_gid.sh b/bin/hardening/13.15_check_duplicate_gid.sh new file mode 100755 index 0000000..1f93779 --- /dev/null +++ b/bin/hardening/13.15_check_duplicate_gid.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.15 Check for Duplicate GIDs (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + RESULT=$(cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) + for LINE in $RESULT; do + debug "Working on line $LINE" + OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) + GROUPID=$(awk -F: {'print $2'} <<< $LINE) + if [ $OCC_NUMBER -gt 1 ]; then + USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPID /etc/passwd | xargs) + ERRORS=$((ERRORS+1)) + crit "Duplicate GID ($GROUPID): ${USERS}" + fi + done + + if [ $ERRORS = 0 ]; then + ok "No duplicate GIDs" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Editing automatically gids may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.16_check_duplicate_username.sh b/bin/hardening/13.16_check_duplicate_username.sh new file mode 100755 index 0000000..6168eca --- /dev/null +++ b/bin/hardening/13.16_check_duplicate_username.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.16 Check for Duplicate User Names (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + RESULT=$(cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) + for LINE in $RESULT; do + debug "Working on line $LINE" + OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) + USERNAME=$(awk -F: {'print $2'} <<< $LINE) + if [ $OCC_NUMBER -gt 1 ]; then + USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs) + ERRORS=$((ERRORS+1)) + crit "Duplicate username $USERNAME" + fi + done + + if [ $ERRORS = 0 ]; then + ok "No duplicate usernames" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Editing automatically username may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.17_check_duplicate_groupname.sh b/bin/hardening/13.17_check_duplicate_groupname.sh new file mode 100755 index 0000000..a1a2824 --- /dev/null +++ b/bin/hardening/13.17_check_duplicate_groupname.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.17 Check for Duplicate Group Names (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + RESULT=$(cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) + for LINE in $RESULT; do + debug "Working on line $LINE" + OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) + GROUPNAME=$(awk -F: {'print $2'} <<< $LINE) + if [ $OCC_NUMBER -gt 1 ]; then + USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs) + ERRORS=$((ERRORS+1)) + crit "Duplicate groupname $GROUPNAME" + fi + done + + if [ $ERRORS = 0 ]; then + ok "No duplicate groupnames" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Editing automatically groupname may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.18_find_user_netrc_files.sh b/bin/hardening/13.18_find_user_netrc_files.sh new file mode 100755 index 0000000..414254b --- /dev/null +++ b/bin/hardening/13.18_find_user_netrc_files.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.18 Check for Presence of User .netrc Files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 +FILENAME='.netrc' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/$FILENAME; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + crit "$FILE present" + ERRORS=$((ERRORS+1)) + fi + done + done + + if [ $ERRORS = 0 ]; then + ok "No $FILENAME present in users files" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "If the audit returns something, please check with the user why he has this file" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.19_find_user_forward_files.sh b/bin/hardening/13.19_find_user_forward_files.sh new file mode 100755 index 0000000..8ff6648 --- /dev/null +++ b/bin/hardening/13.19_find_user_forward_files.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.19 Check for Presence of User .forward Files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 +FILENAME='.forward' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/$FILENAME; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + crit "$FILE present" + ERRORS=$((ERRORS+1)) + fi + done + done + + if [ $ERRORS = 0 ]; then + ok "No $FILENAME present in users files" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "If the audit returns something, please check with the user why he has this file" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.1_remove_empty_password_field.sh b/bin/hardening/13.1_remove_empty_password_field.sh new file mode 100755 index 0000000..469e84c --- /dev/null +++ b/bin/hardening/13.1_remove_empty_password_field.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.1 Ensure Password Fields are Not Empty (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/shadow' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if accounts have empty passwords" + RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }') + if [ ! -z "$RESULT" ]; then + crit "Some accounts have empty passwords" + crit $RESULT + else + ok "All accounts have a password" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }') + if [ ! -z "$RESULT" ]; then + warn "Some accounts have empty passwords" + for ACCOUNT in $RESULT; do + info "Locking $ACCOUNT" + passwd -l $ACCOUNT >/dev/null 2>&1 + done + else + ok "All accounts have a password" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.20_shadow_group_empty.sh b/bin/hardening/13.20_shadow_group_empty.sh new file mode 100755 index 0000000..dd23e41 --- /dev/null +++ b/bin/hardening/13.20_shadow_group_empty.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.20 Ensure shadow group is empty (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 +FILEGROUP='/etc/group' +PATTERN='^shadow:x:[[:digit:]]+:' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file $FILEGROUP $PATTERN + if [ $FNRET = 0 ]; then + info "shadow group exists" + RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4) + GROUPID=$(getent group shadow | cut -d: -f3) + debug "$RESULT $GROUPID" + if [ ! -z "$RESULT" ]; then + crit "Some user belong to shadow group : $RESULT" + else + ok "No one belongs to shadow group" + fi + + info "Checking if a user has $GROUPID as primary group" + RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd) + if [ ! -z "$RESULT" ]; then + crit "Some user have shadow id to their primary group : $RESULT" + else + ok "No one have shadow id to their primary group" + fi + else + crit "shadow group doesn't exist" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "If the audit returns something, please check with the user why he has this file" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.2_remove_legacy_passwd_entries.sh b/bin/hardening/13.2_remove_legacy_passwd_entries.sh new file mode 100755 index 0000000..5c4f341 --- /dev/null +++ b/bin/hardening/13.2_remove_legacy_passwd_entries.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/passwd' +RESULT='' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if accounts have empty passwords" + if grep '^+:' $FILE -q; then + RESULT=$(grep '^+:' $FILE) + crit "Some accounts have legacy password entry" + crit $RESULT + else + ok "All accounts have a valid password entry format" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if grep '^+:' $FILE -q; then + RESULT=$(grep '^+:' $FILE) + warn "Some accounts have legacy password entry" + for LINE in $RESULT; do + info "Removing $LINE from $FILE" + delete_line_in_file $FILE $LINE + done + else + ok "All accounts have a valid password entry format" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.3_remove_legacy_shadow_entries.sh b/bin/hardening/13.3_remove_legacy_shadow_entries.sh new file mode 100755 index 0000000..b88932b --- /dev/null +++ b/bin/hardening/13.3_remove_legacy_shadow_entries.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/shadow' +RESULT='' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if accounts have empty passwords" + if grep '^+:' $FILE -q; then + RESULT=$(grep '^+:' $FILE) + crit "Some accounts have legacy password entry" + crit $RESULT + else + ok "All accounts have a valid password entry format" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if grep '^+:' $FILE -q; then + RESULT=$(grep '^+:' $FILE) + warn "Some accounts have legacy password entry" + for LINE in $RESULT; do + info "Removing $LINE from $FILE" + delete_line_in_file $FILE $LINE + done + else + ok "All accounts have a valid password entry format" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.4_remove_legacy_group_entries.sh b/bin/hardening/13.4_remove_legacy_group_entries.sh new file mode 100755 index 0000000..5980c90 --- /dev/null +++ b/bin/hardening/13.4_remove_legacy_group_entries.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/group' +RESULT='' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if accounts have empty passwords" + if grep '^+:' $FILE -q; then + RESULT=$(grep '^+:' $FILE) + crit "Some accounts have legacy password entry" + crit $RESULT + else + ok "All accounts have a valid password entry format" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if grep '^+:' $FILE -q; then + RESULT=$(grep '^+:' $FILE) + warn "Some accounts have legacy password entry" + for LINE in $RESULT; do + info "Removing $LINE from $FILE" + delete_line_in_file $FILE $LINE + done + else + ok "All accounts have a valid password entry format" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.5_find_0_uid_non_root_account.sh b/bin/hardening/13.5_find_0_uid_non_root_account.sh new file mode 100755 index 0000000..40e2173 --- /dev/null +++ b/bin/hardening/13.5_find_0_uid_non_root_account.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/passwd' +RESULT='' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if accounts have uid 0" + RESULT=$(cat $FILE | awk -F: '($3 == 0 && $1!="root" ) { print $1 }') + for ACCOUNT in $RESULT; do + debug "Account : $ACCOUNT" + debug "Exceptions : $EXCEPTIONS" + debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT" + if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then + debug "$ACCOUNT is confirmed as an exception" + RESULT=$(sed "s!$ACCOUNT!!" <<< "$RESULT") + else + debug "$ACCOUNT not found in exceptions" + fi + done + if [ ! -z "$RESULT" ]; then + crit "Some accounts have uid 0" + crit $RESULT + else + ok "No account with suid 0 apart root" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Removing accounts with uid 0 may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + if [ -z "$EXCEPTIONS" ]; then + EXCEPTIONS="@" + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.6_sanitize_root_path.sh b/bin/hardening/13.6_sanitize_root_path.sh new file mode 100755 index 0000000..36178d4 --- /dev/null +++ b/bin/hardening/13.6_sanitize_root_path.sh @@ -0,0 +1,83 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.6 Ensure root PATH Integrity (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ "`echo $PATH | grep :: `" != "" ]; then + crit "Empty Directory in PATH (::)" + ERRORS=$((ERRORS+1)) + fi + if [ "`echo $PATH | grep :$`" != "" ]; then + crit "Trailing : in PATH $PATH" + ERRORS=$((ERRORS+1)) + fi + FORMATTED_PATH=$(echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g') + set -- $FORMATTED_PATH + while [ "${1:-}" != "" ]; do + if [ "$1" = "." ]; then + crit "PATH contains ." + ERRORS=$((ERRORS+1)) + else + if [ -d $1 ]; then + dirperm=$(ls -ldH $1 | cut -f1 -d" ") + if [ $(echo $dirperm | cut -c6 ) != "-" ]; then + crit "Group Write permission set on directory $1" + ERRORS=$((ERRORS+1)) + fi + if [ $(echo $dirperm | cut -c9 ) != "-" ]; then + crit "Other Write permission set on directory $1" + ERRORS=$((ERRORS+1)) + fi + dirown=$(ls -ldH $1 | awk '{print $3}') + if [ "$dirown" != "root" ] ; then + crit "$1 is not owned by root" + ERRORS=$((ERRORS+1)) + fi + else + crit "$1 is not a directory" + ERRORS=$((ERRORS+1)) + fi + fi + shift + done + + if [ $ERRORS = 0 ]; then + ok "root PATH is secure" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Editing items from PATH may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.7_check_user_dir_perm.sh b/bin/hardening/13.7_check_user_dir_perm.sh new file mode 100755 index 0000000..c34a96d --- /dev/null +++ b/bin/hardening/13.7_check_user_dir_perm.sh @@ -0,0 +1,108 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.7 Check Permissions on User Home Directories (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $dir" + debug "Exceptions : $EXCEPTIONS" + debug "echo \"$EXCEPTIONS\" | grep -q $dir" + if echo "$EXCEPTIONS" | grep -q $dir; then + debug "$dir is confirmed as an exception" + RESULT=$(sed "s!$dir!!" <<< "$RESULT") + else + debug "$dir not found in exceptions" + fi + if [ -d $dir ]; then + dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ") + if [ $(echo $dirperm | cut -c6 ) != "-" ]; then + crit "Group Write permission set on directory $dir" + ERRORS=$((ERRORS+1)) + fi + if [ $(echo $dirperm | cut -c8 ) != "-" ]; then + crit "Other Read permission set on directory $dir" + ERRORS=$((ERRORS+1)) + fi + if [ $(echo $dirperm | cut -c9 ) != "-" ]; then + crit "Other Write permission set on directory $dir" + ERRORS=$((ERRORS+1)) + fi + if [ $(echo $dirperm | cut -c10 ) != "-" ]; then + crit "Other Execute permission set on directory $dir" + ERRORS=$((ERRORS+1)) + fi + fi + done + + if [ $ERRORS = 0 ]; then + ok "No incorrect permissions on home directories" + fi + +} + +# This function will be called if the script status is on enabled mode +apply () { + for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $dir" + debug "Exceptions : $EXCEPTIONS" + debug "echo \"$EXCEPTIONS\" | grep -q $dir" + if echo "$EXCEPTIONS" | grep -q $dir; then + debug "$dir is confirmed as an exception" + RESULT=$(sed "s!$dir!!" <<< "$RESULT") + else + debug "$dir not found in exceptions" + fi + if [ -d $dir ]; then + dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ") + if [ $(echo $dirperm | cut -c6 ) != "-" ]; then + warn "Group Write permission set on directory $dir" + chmod g-w $dir + fi + if [ $(echo $dirperm | cut -c8 ) != "-" ]; then + warn "Other Read permission set on directory $dir" + chmod o-r $dir + fi + if [ $(echo $dirperm | cut -c9 ) != "-" ]; then + warn "Other Write permission set on directory $dir" + chmod o-w $dir + fi + if [ $(echo $dirperm | cut -c10 ) != "-" ]; then + warn "Other Execute permission set on directory $dir" + chmod o-x $dir + fi + fi + done +} + +# This function will check config parameters required +check_config() { + if [ -z "$EXCEPTIONS" ]; then + EXCEPTIONS="@" + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.8_check_user_dot_file_perm.sh b/bin/hardening/13.8_check_user_dot_file_perm.sh new file mode 100755 index 0000000..d00379e --- /dev/null +++ b/bin/hardening/13.8_check_user_dot_file_perm.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.8 Check User Dot File Permissions (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/.[A-Za-z0-9]*; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + FILEPERM=$(ls -ld $FILE | cut -f1 -d" ") + if [ $(echo $FILEPERM | cut -c6) != "-" ]; then + crit "Group Write permission set on FILE $FILE" + ERRORS=$((ERRORS+1)) + fi + if [ $(echo $FILEPERM | cut -c9) != "-" ]; then + crit "Other Write permission set on FILE $FILE" + ERRORS=$((ERRORS+1)) + fi + fi + done + done + + if [ $ERRORS = 0 ]; then + ok "Dot file permission in users directories are correct" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + for FILE in $DIR/.[A-Za-z0-9]*; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + FILEPERM=$(ls -ld $FILE | cut -f1 -d" ") + if [ $(echo $FILEPERM | cut -c6) != "-" ]; then + warn "Group Write permission set on FILE $FILE" + chmod g-w $FILE + fi + if [ $(echo $FILEPERM | cut -c9) != "-" ]; then + warn "Other Write permission set on FILE $FILE" + chmod o-w $FILE + fi + fi + done + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.9_set_perm_on_user_netrc.sh b/bin/hardening/13.9_set_perm_on_user_netrc.sh new file mode 100755 index 0000000..d6f8e8e --- /dev/null +++ b/bin/hardening/13.9_set_perm_on_user_netrc.sh @@ -0,0 +1,75 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 13.9 Check Permissions on User .netrc Files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PERMISSIONS="600" +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/.netrc; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + ERRORS=$((ERRORS+1)) + fi + fi + done + done + + if [ $ERRORS = 0 ]; then + ok "permission $PERMISSIONS set on .netrc users files" + fi + +} + +# This function will be called if the script status is on enabled mode +apply () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/.netrc; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + warn "$FILE has not $PERMISSIONS permissions set" + chmod 600 $FILE + fi + fi + done + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.10_home_nodev.sh b/bin/hardening/2.10_home_nodev.sh new file mode 100755 index 0000000..1c8a414 --- /dev/null +++ b/bin/hardening/2.10_home_nodev.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.10 Add nodev Option to /home (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/home" +OPTION="nodev" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.11_removable_device_nodev.sh b/bin/hardening/2.11_removable_device_nodev.sh new file mode 100755 index 0000000..010a432 --- /dev/null +++ b/bin/hardening/2.11_removable_device_nodev.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.11 Add nodev Option to Removable Media Partitions (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive + +# Quick factoring as many script use the same logic +PARTITION="/media\S*" +OPTION="nodev" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying if there is $PARTITION like partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + ok "There is no partition like $PARTITION" + FNRET=0 + else + info "detected $PARTITION like" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.12_removable_device_noexec.sh b/bin/hardening/2.12_removable_device_noexec.sh new file mode 100755 index 0000000..1258880 --- /dev/null +++ b/bin/hardening/2.12_removable_device_noexec.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.12 Add noexec Option to Removable Media Partitions (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive + +# Quick factoring as many script use the same logic +PARTITION="/media\S*" +OPTION="noexec" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying if there is $PARTITION like partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + ok "There is no partition like $PARTITION" + FNRET=0 + else + info "detected $PARTITION like" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.13_removable_device_nosuid.sh b/bin/hardening/2.13_removable_device_nosuid.sh new file mode 100755 index 0000000..351d94b --- /dev/null +++ b/bin/hardening/2.13_removable_device_nosuid.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.13 Add nosuid Option to Removable Media Partitions (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive + +# Quick factoring as many script use the same logic +PARTITION="/media\S*" +OPTION="nosuid" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying if there is $PARTITION like partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + ok "There is no partition like $PARTITION" + FNRET=0 + else + info "detected $PARTITION like" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.14_run_shm_nodev.sh b/bin/hardening/2.14_run_shm_nodev.sh new file mode 100755 index 0000000..d58d354 --- /dev/null +++ b/bin/hardening/2.14_run_shm_nodev.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.14 Add nodev Option to /run/shm Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/run/shm" +OPTION="nodev" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.15_run_shm_nosuid.sh b/bin/hardening/2.15_run_shm_nosuid.sh new file mode 100755 index 0000000..451944a --- /dev/null +++ b/bin/hardening/2.15_run_shm_nosuid.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.15 Add nosuid Option to /run/shm Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/run/shm" +OPTION="nosuid" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.16_run_shm_noexec.sh b/bin/hardening/2.16_run_shm_noexec.sh new file mode 100755 index 0000000..9f111b5 --- /dev/null +++ b/bin/hardening/2.16_run_shm_noexec.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.16 Add noexec Option to /run/shm Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/run/shm" +OPTION="noexec" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh new file mode 100755 index 0000000..0183a36 --- /dev/null +++ b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.17 Set Sticky Bit on All World-Writable Directories (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if setuid is set on world writable Directories" + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) + if [ ! -z "$RESULT" ]; then + crit "Some world writable directories are not on sticky bit mode !" + FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + crit "$FORMATTED_RESULT" + else + ok "All world writable directories have a sticky bit" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) + if [ ! -z "$RESULT" ]; then + df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + else + ok "All world writable directories have a sticky bit, nothing to apply" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this function + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.18_disable_cramfs.sh b/bin/hardening/2.18_disable_cramfs.sh new file mode 100755 index 0000000..9ddf758 --- /dev/null +++ b/bin/hardening/2.18_disable_cramfs.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.18 Disable Mounting of cramfs Filesystems (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz +KERNEL_OPTION="cramfs" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled !" + else + ok "$KERNEL_OPTION is disabled" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.19_disable_freevxfs.sh b/bin/hardening/2.19_disable_freevxfs.sh new file mode 100755 index 0000000..65ce4cf --- /dev/null +++ b/bin/hardening/2.19_disable_freevxfs.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.19 Disable Mounting of freevxfs Filesystems (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz +KERNEL_OPTION="freevxfs" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled !" + else + ok "$KERNEL_OPTION is disabled" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.1_tmp_partition.sh b/bin/hardening/2.1_tmp_partition.sh new file mode 100755 index 0000000..f2b5469 --- /dev/null +++ b/bin/hardening/2.1_tmp_partition.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.1 Create Separate Partition for /tmp (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/tmp" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + is_mounted "$PARTITION" + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted" + FNRET=1 + else + ok "$PARTITION is mounted" + fi + fi + + : +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + else + info "mounting $PARTITION" + mount $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No parameter for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.20_disable_jffs2.sh b/bin/hardening/2.20_disable_jffs2.sh new file mode 100755 index 0000000..c2fe78d --- /dev/null +++ b/bin/hardening/2.20_disable_jffs2.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.20 Disable Mounting of jffs2 Filesystems (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz +KERNEL_OPTION="jffs2" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled !" + else + ok "$KERNEL_OPTION is disabled" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.21_disable_hfs.sh b/bin/hardening/2.21_disable_hfs.sh new file mode 100755 index 0000000..de679b2 --- /dev/null +++ b/bin/hardening/2.21_disable_hfs.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.21 Disable Mounting of hfs Filesystems (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz +KERNEL_OPTION="hfs" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled !" + else + ok "$KERNEL_OPTION is disabled" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.22_disable_hfsplus.sh b/bin/hardening/2.22_disable_hfsplus.sh new file mode 100755 index 0000000..3fede5a --- /dev/null +++ b/bin/hardening/2.22_disable_hfsplus.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.22 Disable Mounting of hfsplus Filesystems (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz +KERNEL_OPTION="hfsplus" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled !" + else + ok "$KERNEL_OPTION is disabled" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.23_disable_squashfs.sh b/bin/hardening/2.23_disable_squashfs.sh new file mode 100755 index 0000000..37f8da3 --- /dev/null +++ b/bin/hardening/2.23_disable_squashfs.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.23 Disable Mounting of squashfs Filesystems (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz +KERNEL_OPTION="squashfs" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled !" + else + ok "$KERNEL_OPTION is disabled" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.24_disable_udf.sh b/bin/hardening/2.24_disable_udf.sh new file mode 100755 index 0000000..f429c38 --- /dev/null +++ b/bin/hardening/2.24_disable_udf.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.24 Disable Mounting of udf Filesystems (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz +KERNEL_OPTION="udf" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled !" + else + ok "$KERNEL_OPTION is disabled" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.25_disable_automounting.sh b/bin/hardening/2.25_disable_automounting.sh new file mode 100755 index 0000000..1323bad --- /dev/null +++ b/bin/hardening/2.25_disable_automounting.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.25 Disable Automounting (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SERVICE_NAME="autofs" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if $SERVICE_NAME is enabled" + is_service_enabled $SERVICE_NAME + if [ $FNRET = 0 ]; then + crit "$SERVICE_NAME is enabled" + else + ok "$SERVICE_NAME is disabled" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Checking if $SERVICE_NAME is enabled" + is_service_enabled $SERVICE_NAME + if [ $FNRET = 0 ]; then + info "Disabling $SERVICE_NAME" + update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 + else + ok "$SERVICE_NAME is disabled" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.2_tmp_nodev.sh b/bin/hardening/2.2_tmp_nodev.sh new file mode 100755 index 0000000..6b34d0f --- /dev/null +++ b/bin/hardening/2.2_tmp_nodev.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.2 Set nodev option for /tmp Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/tmp" +OPTION="nodev" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.3_tmp_nosuid.sh b/bin/hardening/2.3_tmp_nosuid.sh new file mode 100755 index 0000000..a361ca7 --- /dev/null +++ b/bin/hardening/2.3_tmp_nosuid.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.3 Set nosuid option for /tmp Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/tmp" +OPTION="nosuid" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.4_tmp_noexec.sh b/bin/hardening/2.4_tmp_noexec.sh new file mode 100755 index 0000000..9d61da1 --- /dev/null +++ b/bin/hardening/2.4_tmp_noexec.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.4 Set noexec option for /tmp Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/tmp" +OPTION="noexec" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.5_var_partition.sh b/bin/hardening/2.5_var_partition.sh new file mode 100755 index 0000000..3a0fed6 --- /dev/null +++ b/bin/hardening/2.5_var_partition.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.5 Create Separate Partition for /var (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/var" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + is_mounted "$PARTITION" + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted" + FNRET=1 + else + ok "$PARTITION is mounted" + fi + fi + + : +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + else + info "mounting $PARTITION" + mount $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No parameter for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.6.1_var_tmp_partition.sh b/bin/hardening/2.6.1_var_tmp_partition.sh new file mode 100755 index 0000000..1a1348b --- /dev/null +++ b/bin/hardening/2.6.1_var_tmp_partition.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.6.1 Create Separate Partition for /var/tmp (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/var/tmp" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + is_mounted "$PARTITION" + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted" + FNRET=1 + else + ok "$PARTITION is mounted" + fi + fi + + : +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + else + info "mounting $PARTITION" + mount $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No parameter for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.6.2_var_tmp_nodev.sh b/bin/hardening/2.6.2_var_tmp_nodev.sh new file mode 100755 index 0000000..2be7322 --- /dev/null +++ b/bin/hardening/2.6.2_var_tmp_nodev.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.6.2 Set nodev option for /var/tmp Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/var/tmp" +OPTION="nodev" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.6.3_var_tmp_nosuid.sh b/bin/hardening/2.6.3_var_tmp_nosuid.sh new file mode 100755 index 0000000..992d8e6 --- /dev/null +++ b/bin/hardening/2.6.3_var_tmp_nosuid.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.6.3 Set nosuid option for /var/tmp Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/var/tmp" +OPTION="nosuid" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.6.4_var_tmp_noexec.sh b/bin/hardening/2.6.4_var_tmp_noexec.sh new file mode 100755 index 0000000..223477f --- /dev/null +++ b/bin/hardening/2.6.4_var_tmp_noexec.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.6.4 Set noexec option for /var/tmp Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/var/tmp" +OPTION="noexec" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.7_var_log_partition.sh b/bin/hardening/2.7_var_log_partition.sh new file mode 100755 index 0000000..32b2c74 --- /dev/null +++ b/bin/hardening/2.7_var_log_partition.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.7 Create Separate Partition for /var/log (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/var/log" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + is_mounted "$PARTITION" + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted" + FNRET=1 + else + ok "$PARTITION is mounted" + fi + fi + + : +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + else + info "mounting $PARTITION" + mount $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No parameter for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.8_var_log_audit_partition.sh b/bin/hardening/2.8_var_log_audit_partition.sh new file mode 100755 index 0000000..9c7bf92 --- /dev/null +++ b/bin/hardening/2.8_var_log_audit_partition.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.8 Create Separate Partition for /var/log/audit (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/var/log/audit" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + is_mounted "$PARTITION" + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted" + FNRET=1 + else + ok "$PARTITION is mounted" + fi + fi + + : +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + else + info "mounting $PARTITION" + mount $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No parameter for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.9_home_partition.sh b/bin/hardening/2.9_home_partition.sh new file mode 100755 index 0000000..04270db --- /dev/null +++ b/bin/hardening/2.9_home_partition.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.9 Create Separate Partition for /home (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/home" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + is_mounted "$PARTITION" + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted" + FNRET=1 + else + ok "$PARTITION is mounted" + fi + fi + + : +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + else + info "mounting $PARTITION" + mount $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No parameter for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/3.1_bootloader_ownership.sh b/bin/hardening/3.1_bootloader_ownership.sh new file mode 100755 index 0000000..044d2b0 --- /dev/null +++ b/bin/hardening/3.1_bootloader_ownership.sh @@ -0,0 +1,78 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 3.1 Set User/Group Owner on bootloader config (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assertion : Grub Based. + +FILE='/boot/grub/grub.cfg' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi +} + +# This function will check config parameters required +check_config() { + + is_pkg_installed "grub-pc" + if [ $FNRET != 0 ]; then + warn "Grub is not installed, not handling configuration" + exit 128 + fi + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/3.2_bootloader_permissions.sh b/bin/hardening/3.2_bootloader_permissions.sh new file mode 100755 index 0000000..4bc0dec --- /dev/null +++ b/bin/hardening/3.2_bootloader_permissions.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 3.2 Set Permissions on bootloader config (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assertion : Grub Based. + +FILE='/boot/grub/grub.cfg' +PERMISSIONS='400' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + is_pkg_installed "grub-pc" + if [ $FNRET != 0 ]; then + warn "grub-pc is not installed, not handling configuration" + exit 128 + fi + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/3.3_bootloader_password.sh b/bin/hardening/3.3_bootloader_password.sh new file mode 100755 index 0000000..05a9ab0 --- /dev/null +++ b/bin/hardening/3.3_bootloader_password.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 3.3 Set Boot Loader Password (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/boot/grub/grub.cfg' +USER_PATTERN="^set superusers" +PWD_PATTERN="^password_pbkdf2" + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file $FILE "$USER_PATTERN" + if [ $FNRET != 0 ]; then + crit "$USER_PATTERN not present in $FILE" + else + ok "$USER_PATTERN is present in $FILE" + fi + does_pattern_exists_in_file $FILE "$PWD_PATTERN" + if [ $FNRET != 0 ]; then + crit "$PWD_PATTERN not present in $FILE" + else + ok "$PWD_PATTERN is present in $FILE" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file $FILE "$USER_PATTERN" + if [ $FNRET != 0 ]; then + warn "$USER_PATTERN not present in $FILE, please configure password for grub" + else + ok "$USER_PATTERN is present in $FILE" + fi + does_pattern_exists_in_file $FILE "$PWD_PATTERN" + if [ $FNRET != 0 ]; then + warn "$PWD_PATTERN not present in $FILE, please configure password for grub" + else + ok "$PWD_PATTERN is present in $FILE" + fi + : +} + +# This function will check config parameters required +check_config() { + is_pkg_installed "grub-pc" + if [ $FNRET != 0 ]; then + warn "grub-pc is not installed, not handling configuration" + exit 128 + fi + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/3.4_root_password.sh b/bin/hardening/3.4_root_password.sh new file mode 100755 index 0000000..f37bfb0 --- /dev/null +++ b/bin/hardening/3.4_root_password.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 3.4 Require Authentication for Single-User Mode (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE="/etc/shadow" +PATTERN="^root:[*\!]:" + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET != 1 ]; then + crit "$PATTERN present in $FILE" + else + ok "$PATTERN not present in $FILE" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET != 1 ]; then + warn "$PATTERN present in $FILE, please put a root password" + else + ok "$PATTERN not present in $FILE" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/4.1_restrict_core_dumps.sh b/bin/hardening/4.1_restrict_core_dumps.sh new file mode 100755 index 0000000..7f6a4b6 --- /dev/null +++ b/bin/hardening/4.1_restrict_core_dumps.sh @@ -0,0 +1,75 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 4.1 Restrict Core Dumps (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +LIMIT_FILE='/etc/security/limits.conf' +LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$' +SYSCTL_PARAM='fs.suid_dumpable' +SYSCTL_EXP_RESULT=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file $LIMIT_FILE $LIMIT_PATTERN + if [ $FNRET != 0 ]; then + crit "$LIMIT_PATTERN not present in $LIMIT_FILE" + else + ok "$LIMIT_PATTERN present in $LIMIT_FILE" + fi + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file $LIMIT_FILE $LIMIT_PATTERN + if [ $FNRET != 0 ]; then + warn "$LIMIT_PATTERN not present in $LIMIT_FILE, addning at the end of $LIMIT_FILE" + add_end_of_file $LIMIT_FILE "* hard core 0" + else + ok "$LIMIT_PATTERN present in $LIMIT_FILE" + fi + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/4.2_enable_nx_support.sh b/bin/hardening/4.2_enable_nx_support.sh new file mode 100755 index 0000000..d5c4962 --- /dev/null +++ b/bin/hardening/4.2_enable_nx_support.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_dmesg $PATTERN + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in dmesg" + else + ok "$PATTERN present in dmesg" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_dmesg $PATTERN + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in dmesg, please go to the bios to activate this option or change for CPU compatible" + else + ok "$PATTERN present in dmesg" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/4.3_enable_randomized_vm_placement.sh b/bin/hardening/4.3_enable_randomized_vm_placement.sh new file mode 100755 index 0000000..ded11c1 --- /dev/null +++ b/bin/hardening/4.3_enable_randomized_vm_placement.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 4.3 Enable Randomized Virtual Memory Region Placement (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAM='kernel.randomize_va_space' +SYSCTL_EXP_RESULT=2 + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/4.4_disable_prelink.sh b/bin/hardening/4.4_disable_prelink.sh new file mode 100755 index 0000000..3770a6b --- /dev/null +++ b/bin/hardening/4.4_disable_prelink.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 4.4 Disable Prelink (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='prelink' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + /usr/sbin/prelink -ua + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/4.5_enable_apparmor.sh b/bin/hardening/4.5_enable_apparmor.sh new file mode 100755 index 0000000..88b7bbc --- /dev/null +++ b/bin/hardening/4.5_enable_apparmor.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 4.5 Activate AppArmor (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='apparmor' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is absent !" + else + ok "$PACKAGE is installed" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed, please install $PACKAGE and configure it" + else + ok "$PACKAGE is installed" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.1.1_disable_nis.sh b/bin/hardening/5.1.1_disable_nis.sh new file mode 100755 index 0000000..ddabc5b --- /dev/null +++ b/bin/hardening/5.1.1_disable_nis.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.1 Ensure NIS is not installed (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='nis' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.1.2_disable_rsh.sh b/bin/hardening/5.1.2_disable_rsh.sh new file mode 100755 index 0000000..802ab4b --- /dev/null +++ b/bin/hardening/5.1.2_disable_rsh.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.2 Ensure rsh server is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Based on aptitude search '~Prsh-server' +PACKAGES='rsh-server rsh-redone-server heimdal-servers' +FILE='/etc/inetd.conf' +PATTERN='^(shell|login|exec)' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, checking configuration" + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, $PACKAGE services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.1.3_disable_rsh_client.sh b/bin/hardening/5.1.3_disable_rsh_client.sh new file mode 100755 index 0000000..679093a --- /dev/null +++ b/bin/hardening/5.1.3_disable_rsh_client.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.3 Ensure rsh client is not installed (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Based on aptitude search '~Prsh-client', exluding ssh-client OFC +PACKAGES='rsh-client rsh-redone-client heimdal-clients' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, purging" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.1.4_disable_talk.sh b/bin/hardening/5.1.4_disable_talk.sh new file mode 100755 index 0000000..ffd320b --- /dev/null +++ b/bin/hardening/5.1.4_disable_talk.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.4 Ensure talk server is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='inetutils-talkd talkd' +FILE='/etc/inetd.conf' +PATTERN='^(talk|ntalk)' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, checking configuration" + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, $PACKAGE services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.1.5_disable_talk_client.sh b/bin/hardening/5.1.5_disable_talk_client.sh new file mode 100755 index 0000000..3e5c927 --- /dev/null +++ b/bin/hardening/5.1.5_disable_talk_client.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.5 Ensure talk client is not installed (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='talk inetutils-talk' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, purging" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.1.6_disable_telnet_server.sh b/bin/hardening/5.1.6_disable_telnet_server.sh new file mode 100755 index 0000000..9d7b3f6 --- /dev/null +++ b/bin/hardening/5.1.6_disable_telnet_server.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.6 Ensure telnet server is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Based on aptitude search '~Ptelnet-server' +PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers' +FILE='/etc/inetd.conf' +PATTERN='^telnet' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, checking configuration" + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, $PACKAGE services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.1.7_disable_tftp_server.sh b/bin/hardening/5.1.7_disable_tftp_server.sh new file mode 100755 index 0000000..0c39f26 --- /dev/null +++ b/bin/hardening/5.1.7_disable_tftp_server.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.7 Ensure tftp-server is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='tftpd tftpd-hpa atftpd' +FILE='/etc/inetd.conf' +PATTERN='^tftp' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, checking configuration" + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, $PACKAGE services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + echo "coucou" + else + ok "$PATTERN not present in $FILE" + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.1.8_disable_inetd.sh b/bin/hardening/5.1.8_disable_inetd.sh new file mode 100755 index 0000000..bad5b8c --- /dev/null +++ b/bin/hardening/5.1.8_disable_inetd.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.8 Ensure xinetd is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='openbsd-inetd xinetd rlinetd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, purging" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.2_disable_chargen.sh b/bin/hardening/5.2_disable_chargen.sh new file mode 100755 index 0000000..2ce2870 --- /dev/null +++ b/bin/hardening/5.2_disable_chargen.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.2 Ensure chargen is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/inetd.conf' +PATTERN='^chargen' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, chargen services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.3_disable_daytime.sh b/bin/hardening/5.3_disable_daytime.sh new file mode 100755 index 0000000..cb12750 --- /dev/null +++ b/bin/hardening/5.3_disable_daytime.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.3 Ensure daytime is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/inetd.conf' +PATTERN='^daytime' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, chargen services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.4_disable_echo.sh b/bin/hardening/5.4_disable_echo.sh new file mode 100755 index 0000000..d899e8f --- /dev/null +++ b/bin/hardening/5.4_disable_echo.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.4 Ensure echo is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/inetd.conf' +PATTERN='^echo' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, chargen services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.5_disable_discard.sh b/bin/hardening/5.5_disable_discard.sh new file mode 100755 index 0000000..0fce91d --- /dev/null +++ b/bin/hardening/5.5_disable_discard.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.5 Ensure discard is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/inetd.conf' +PATTERN='^discard' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, chargen services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.6_disable_time.sh b/bin/hardening/5.6_disable_time.sh new file mode 100755 index 0000000..0267904 --- /dev/null +++ b/bin/hardening/5.6_disable_time.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.6 Ensure time is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/inetd.conf' +PATTERN='^time' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, chargen services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.10_disable_http_server.sh b/bin/hardening/6.10_disable_http_server.sh new file mode 100755 index 0000000..72d3076 --- /dev/null +++ b/bin/hardening/6.10_disable_http_server.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.10 Ensure HTTP Server is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Based on aptitude search '~Phttpd' +PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.11_disable_imap_pop.sh b/bin/hardening/6.11_disable_imap_pop.sh new file mode 100755 index 0000000..9d4b82d --- /dev/null +++ b/bin/hardening/6.11_disable_imap_pop.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.11 Ensure IMAP and POP server is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server' +PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.12_disable_samba.sh b/bin/hardening/6.12_disable_samba.sh new file mode 100755 index 0000000..d635a34 --- /dev/null +++ b/bin/hardening/6.12_disable_samba.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.12 Ensure Samba is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='samba' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.13_diable_http_proxy.sh b/bin/hardening/6.13_diable_http_proxy.sh new file mode 100755 index 0000000..b1a4b29 --- /dev/null +++ b/bin/hardening/6.13_diable_http_proxy.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.13 Ensure HTTP Proxy Server is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='squid3 squid' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.14_disable_snmp_server.sh b/bin/hardening/6.14_disable_snmp_server.sh new file mode 100755 index 0000000..6eceacb --- /dev/null +++ b/bin/hardening/6.14_disable_snmp_server.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.14 Ensure SNMP Server is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='snmpd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.15_mta_localhost.sh b/bin/hardening/6.15_mta_localhost.sh new file mode 100755 index 0000000..e08325c --- /dev/null +++ b/bin/hardening/6.15_mta_localhost.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking netport ports opened" + eval 'RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]")' + debug "Result is $RESULT" + if [ -z "$RESULT" ]; then + ok "Nothing listens on 25 port, probably unix socket configured" + else + info "Checking $RESULT" + if $(grep -q "127.0.0.1" <<< $RESULT); then + ok "MTA is configured to localhost only" + else + crit "MTA listens worldwide" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Checking netport ports opened" + eval 'RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]")' + debug "Result is $RESULT" + if [ -z "$RESULT" ]; then + ok "Nothing listens on 25 port, probably unix socket configured" + else + info "Checking $RESULT" + if $(grep -q "127.0.0.1" <<< $RESULT); then + ok "MTA is configured to localhost only" + else + warn "MTA listens worldwide, correct this considering your MTA" + fi + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.16_disable_rsync.sh b/bin/hardening/6.16_disable_rsync.sh new file mode 100755 index 0000000..5b9800d --- /dev/null +++ b/bin/hardening/6.16_disable_rsync.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.16 Ensure rsync service is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='rsync' +RSYNC_DEFAULT_PATTERN='RSYNC_ENABLE=false' +RSYNC_DEFAULT_FILE='/etc/default/rsync' +RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + ok "$PACKAGE is not installed" + else + ok "$PACKAGE is installed, checking configuration" + does_pattern_exists_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" + if [ $FNRET != 0 ]; then + crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE" + else + ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + ok "$PACKAGE is not installed" + else + ok "$PACKAGE is installed, checking configuration" + does_pattern_exists_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" + if [ $FNRET != 0 ]; then + warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it" + backup_file $RSYNC_DEFAULT_FILE + replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN + else + ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.1_disable_xwindow_system.sh b/bin/hardening/6.1_disable_xwindow_system.sh new file mode 100755 index 0000000..bd30e09 --- /dev/null +++ b/bin/hardening/6.1_disable_xwindow_system.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.1 Ensure the X Window system is not installed (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Based on aptitude search '~Pxserver' +PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.2_disable_avahi_server.sh b/bin/hardening/6.2_disable_avahi_server.sh new file mode 100755 index 0000000..7a4a13a --- /dev/null +++ b/bin/hardening/6.2_disable_avahi_server.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.2 Ensure Avahi Server is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.3_disable_print_server.sh b/bin/hardening/6.3_disable_print_server.sh new file mode 100755 index 0000000..2a606f9 --- /dev/null +++ b/bin/hardening/6.3_disable_print_server.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.3 Ensure print server is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.4_disable_dhcp.sh b/bin/hardening/6.4_disable_dhcp.sh new file mode 100755 index 0000000..dcf76d9 --- /dev/null +++ b/bin/hardening/6.4_disable_dhcp.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.4 Ensure DHCP Server is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='udhcpd isc-dhcp-server' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.5_configure_ntp.sh b/bin/hardening/6.5_configure_ntp.sh new file mode 100755 index 0000000..df3c861 --- /dev/null +++ b/bin/hardening/6.5_configure_ntp.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.5 Configure Network Time Protocol (NTP) (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='ntp' +NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)' +NTP_CONF_FILE='/etc/ntp.conf' +NTP_INIT_PATTERN='RUNASUSER=ntp' +NTP_INIT_FILE='/etc/init.d/ntp' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed, checking configuration" + does_pattern_exists_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN + if [ $FNRET != 0 ]; then + crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE" + else + ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" + fi + does_pattern_exists_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" + if [ $FNRET != 0 ]; then + crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE" + else + ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + info "Checking $PACKAGE configuration" + fi + does_pattern_exists_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN + if [ $FNRET != 0 ]; then + warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it" + backup_file $NTP_CONF_FILE + add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery" + else + ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" + fi + does_pattern_exists_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" + if [ $FNRET != 0 ]; then + warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it" + backup_file $NTP_INIT_FILE + add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID" + else + ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.6_diable_ldap.sh b/bin/hardening/6.6_diable_ldap.sh new file mode 100755 index 0000000..9fb4f35 --- /dev/null +++ b/bin/hardening/6.6_diable_ldap.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.6 Ensure LDAP is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='slapd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.7_disable_nfs_rpc.sh b/bin/hardening/6.7_disable_nfs_rpc.sh new file mode 100755 index 0000000..d1f0d00 --- /dev/null +++ b/bin/hardening/6.7_disable_nfs_rpc.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.7 Ensure NFS and RPC are not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='rpcbind nfs-kernel-server' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.8_disable_dns_server.sh b/bin/hardening/6.8_disable_dns_server.sh new file mode 100755 index 0000000..492a9bb --- /dev/null +++ b/bin/hardening/6.8_disable_dns_server.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.8 Ensure DNS Server is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='bind9 unbound' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.9_disable_ftp.sh b/bin/hardening/6.9_disable_ftp.sh new file mode 100755 index 0000000..579f933 --- /dev/null +++ b/bin/hardening/6.9_disable_ftp.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.9 Ensure FTP Server is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Based on aptitude search '~Pftp-server' +PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.1.1_disable_ip_forwarding.sh b/bin/hardening/7.1.1_disable_ip_forwarding.sh new file mode 100755 index 0000000..24ef503 --- /dev/null +++ b/bin/hardening/7.1.1_disable_ip_forwarding.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.1.1 Disable IP Forwarding (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAM='net.ipv4.ip_forward' +SYSCTL_EXP_RESULT=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.1.2_disable_send_packet_redirects.sh b/bin/hardening/7.1.2_disable_send_packet_redirects.sh new file mode 100755 index 0000000..f608988 --- /dev/null +++ b/bin/hardening/7.1.2_disable_send_packet_redirects.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.1.2 Disable Send Packet Redirects (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over +#net.ipv4.conf.all.send_redirects = 0 +#net.ipv4.conf.default.send_redirects = 0 +SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.2.1_disable_source_routed_packets.sh b/bin/hardening/7.2.1_disable_source_routed_packets.sh new file mode 100755 index 0000000..660d374 --- /dev/null +++ b/bin/hardening/7.2.1_disable_source_routed_packets.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.2.1 Disable Source Routed Packet Acceptance (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.2.2_disable_icmp_redirect.sh b/bin/hardening/7.2.2_disable_icmp_redirect.sh new file mode 100755 index 0000000..7ac408c --- /dev/null +++ b/bin/hardening/7.2.2_disable_icmp_redirect.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.2.2 Disable ICMP Redirect Acceptance (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh b/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh new file mode 100755 index 0000000..1f0b405 --- /dev/null +++ b/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.2.3 Disable Secure ICMP Redirect Acceptance (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.2.4_log_martian_packets.sh b/bin/hardening/7.2.4_log_martian_packets.sh new file mode 100755 index 0000000..b8a48bb --- /dev/null +++ b/bin/hardening/7.2.4_log_martian_packets.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.2.4 Log Suspicious Packets (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.2.5_ignore_broadcast_requests.sh b/bin/hardening/7.2.5_ignore_broadcast_requests.sh new file mode 100755 index 0000000..dab592b --- /dev/null +++ b/bin/hardening/7.2.5_ignore_broadcast_requests.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.2.5 Enable Ignore Broadcast Requests (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.2.6_enable_bad_error_message_protection.sh b/bin/hardening/7.2.6_enable_bad_error_message_protection.sh new file mode 100755 index 0000000..43a7747 --- /dev/null +++ b/bin/hardening/7.2.6_enable_bad_error_message_protection.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.2.6 Enable Bad Error Message Protection (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.2.7_enable_source_route_validation.sh b/bin/hardening/7.2.7_enable_source_route_validation.sh new file mode 100755 index 0000000..1391ce7 --- /dev/null +++ b/bin/hardening/7.2.7_enable_source_route_validation.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.2.7 Enable RFC-recommended Source Route Validation (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh b/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh new file mode 100755 index 0000000..8d2da10 --- /dev/null +++ b/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.2.8 Enable TCP SYN Cookies (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh b/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh new file mode 100755 index 0000000..173a289 --- /dev/null +++ b/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh @@ -0,0 +1,79 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.3.1 Disable IPv6 Router Advertisements (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_sysctl_param_exists "net.ipv6" + if [ $FNRET != 0 ]; then + ok "ipv6 is disabled" + else + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_sysctl_param_exists "net.ipv6" + if [ $FNRET != 0 ]; then + ok "ipv6 is disabled" + else + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.3.2_disable_ipv6_redirect.sh b/bin/hardening/7.3.2_disable_ipv6_redirect.sh new file mode 100755 index 0000000..7f858be --- /dev/null +++ b/bin/hardening/7.3.2_disable_ipv6_redirect.sh @@ -0,0 +1,79 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.3.2 Disable IPv6 Redirect Acceptance (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_sysctl_param_exists "net.ipv6" + if [ $FNRET != 0 ]; then + ok "ipv6 is disabled" + else + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_sysctl_param_exists "net.ipv6" + if [ $FNRET != 0 ]; then + ok "ipv6 is disabled" + else + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.3.3_disable_ipv6.sh b/bin/hardening/7.3.3_disable_ipv6.sh new file mode 100755 index 0000000..22a087d --- /dev/null +++ b/bin/hardening/7.3.3_disable_ipv6.sh @@ -0,0 +1,79 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.3.3 Disable IPv6 (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_sysctl_param_exists "net.ipv6" + if [ $FNRET != 0 ]; then + ok "ipv6 is disabled" + else + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_sysctl_param_exists "net.ipv6" + if [ $FNRET != 0 ]; then + ok "ipv6 is disabled" + else + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.4.1_install_tcp_wrapper.sh b/bin/hardening/7.4.1_install_tcp_wrapper.sh new file mode 100755 index 0000000..ad564d2 --- /dev/null +++ b/bin/hardening/7.4.1_install_tcp_wrapper.sh @@ -0,0 +1,54 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.4.1 Install TCP Wrappers (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='tcpd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.4.2_hosts_allow.sh b/bin/hardening/7.4.2_hosts_allow.sh new file mode 100755 index 0000000..4d0c808 --- /dev/null +++ b/bin/hardening/7.4.2_hosts_allow.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.4.2 Create /etc/hosts.allow (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/hosts.allow' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + warn "You may want to fill it with allowed networks" + else + ok "$FILE exist" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.4.3_hosts_allow_permissions.sh b/bin/hardening/7.4.3_hosts_allow_permissions.sh new file mode 100755 index 0000000..6f0fea4 --- /dev/null +++ b/bin/hardening/7.4.3_hosts_allow_permissions.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.4.3 Verify Permissions on /etc/hosts.allow (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/hosts.allow' +PERMISSIONS='644' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.4.4_hosts_deny.sh b/bin/hardening/7.4.4_hosts_deny.sh new file mode 100755 index 0000000..1649115 --- /dev/null +++ b/bin/hardening/7.4.4_hosts_deny.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.4.4 Create /etc/hosts.deny (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/hosts.deny' +PATTERN='ALL: ALL' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist, checking configuration" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE, we have to deny everything" + else + ok "$PATTERN present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + else + ok "$FILE exist" + fi + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE, we have to deny everything" + add_end_of_file $FILE "$PATTERN" + warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING" + else + ok "$PATTERN present in $FILE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.4.5_hosts_deny_permissions.sh b/bin/hardening/7.4.5_hosts_deny_permissions.sh new file mode 100755 index 0000000..933a7c6 --- /dev/null +++ b/bin/hardening/7.4.5_hosts_deny_permissions.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.4.5 Verify Permissions on /etc/hosts.deny (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/hosts.deny' +PERMISSIONS='644' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.5.1_disable_dccp.sh b/bin/hardening/7.5.1_disable_dccp.sh new file mode 100755 index 0000000..bad110c --- /dev/null +++ b/bin/hardening/7.5.1_disable_dccp.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.5.1 Disable DCCP (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.5.2_disable_sctp.sh b/bin/hardening/7.5.2_disable_sctp.sh new file mode 100755 index 0000000..bf4bb75 --- /dev/null +++ b/bin/hardening/7.5.2_disable_sctp.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.5.2 Disable SCTP (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/1.1_Install_Updates.sh b/bin/hardening/7.5.3_disable_rds.sh similarity index 79% rename from bin/hardening/1.1_Install_Updates.sh rename to bin/hardening/7.5.3_disable_rds.sh index 40d0d5a..78ee539 100755 --- a/bin/hardening/1.1_Install_Updates.sh +++ b/bin/hardening/7.5.3_disable_rds.sh @@ -5,7 +5,7 @@ # # -# 1.1 Install Updates, Patches and Additional Security Software (Not Scored) +# 7.5.3 Disable RDS (Not Scored) # set -e # One error, it's over @@ -13,12 +13,12 @@ set -u # One variable unset, it's over # This function will be called if the script status is on enabled / audit mode audit () { - : + info "Not implemented yet" } # This function will be called if the script status is on enabled mode apply () { - : + info "Not implemented yet" } # This function will check config parameters required @@ -37,4 +37,5 @@ else fi fi +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) [ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.5.4_disable_tipc.sh b/bin/hardening/7.5.4_disable_tipc.sh new file mode 100755 index 0000000..f0e8a26 --- /dev/null +++ b/bin/hardening/7.5.4_disable_tipc.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.5.4 Disable TIPC (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.6_disable_wireless.sh b/bin/hardening/7.6_disable_wireless.sh new file mode 100755 index 0000000..f782b01 --- /dev/null +++ b/bin/hardening/7.6_disable_wireless.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.6 Deactivate Wireless Interfaces (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.7_enable_firewall.sh b/bin/hardening/7.7_enable_firewall.sh new file mode 100755 index 0000000..82af538 --- /dev/null +++ b/bin/hardening/7.7_enable_firewall.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 7.7 Ensure Firewall is active (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick note here : CIS recommends your iptables rules to be persistent. +# Do as you want, but this script does not handle this + +PACKAGE='iptables' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.0_enable_auditd_kernel.sh b/bin/hardening/8.0_enable_auditd_kernel.sh new file mode 100755 index 0000000..02da848 --- /dev/null +++ b/bin/hardening/8.0_enable_auditd_kernel.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.0 Ensure CONFIG_AUDIT is enabled in your running kernel +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Note : Not part of the CIS guide, but what's the point configuring a software not compatible with your kernel ? :) + +KERNEL_OPTION="CONFIG_AUDIT" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled "^$KERNEL_OPTION=" + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + ok "$KERNEL_OPTION is enabled" + else + crit "$KERNEL_OPTION is disabled, auditd will not work" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled "^$KERNEL_OPTION=" + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + ok "$KERNEL_OPTION is enabled" + else + warn "I cannot fix $KERNEL_OPTION disabled, to make auditd work, recompile your kernel please" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.1.1_audit_log_storage.sh b/bin/hardening/8.1.1.1_audit_log_storage.sh new file mode 100755 index 0000000..b9817f8 --- /dev/null +++ b/bin/hardening/8.1.1.1_audit_log_storage.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.1.1 Configure Audit Log Storage Size (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/audit/auditd.conf' +PATTERN='max_log_file' +VALUE=5 + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist, checking configuration" + does_pattern_exists_in_file $FILE "^$PATTERN[[:space:]]" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE" + else + ok "$PATTERN present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + else + ok "$FILE exist" + fi + does_pattern_exists_in_file $FILE "^$PATTERN[[:space:]]" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILE, adding it" + add_end_of_file $FILE "$PATTERN = $VALUE" + else + ok "$PATTERN present in $FILE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh new file mode 100755 index 0000000..2c5fd88 --- /dev/null +++ b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.1.2 Disable System on Audit Log Full (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/audit/auditd.conf' +OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist, checking configuration" + for AUDIT_OPTION in $OPTIONS; do + AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) + AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + debug "$AUDIT_PARAM must have value $AUDIT_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE" + else + ok "$PATTERN present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + else + ok "$FILE exist" + fi + for AUDIT_OPTION in $OPTIONS; do + AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) + AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + debug "$AUDIT_PARAM must have value $AUDIT_VALUE" + PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$AUDIT_PARAM" + if [ $FNRET != 0 ]; then + info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" + add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" + else + info "Parameter $AUDIT_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" + fi + else + ok "$PATTERN present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.1.3_keep_all_audit_logs.sh b/bin/hardening/8.1.1.3_keep_all_audit_logs.sh new file mode 100755 index 0000000..cca57ab --- /dev/null +++ b/bin/hardening/8.1.1.3_keep_all_audit_logs.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.1.3 Keep All Auditing Information (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/audit/auditd.conf' +OPTIONS='max_log_file_action=keep_logs' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist, checking configuration" + for AUDIT_OPTION in $OPTIONS; do + AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) + AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + debug "$AUDIT_PARAM must have value $AUDIT_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE" + else + ok "$PATTERN present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + else + ok "$FILE exist" + fi + for AUDIT_OPTION in $OPTIONS; do + AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) + AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + debug "$AUDIT_PARAM must have value $AUDIT_VALUE" + PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$AUDIT_PARAM" + if [ $FNRET != 0 ]; then + info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" + add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" + else + info "Parameter $AUDIT_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" + fi + else + ok "$PATTERN present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.10_record_dac_edit.sh b/bin/hardening/8.1.10_record_dac_edit.sh new file mode 100755 index 0000000..69ef81c --- /dev/null +++ b/bin/hardening/8.1.10_record_dac_edit.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.10 Collect Discretionary Access Control Permission Modification Events (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.11_record_failed_access_file.sh b/bin/hardening/8.1.11_record_failed_access_file.sh new file mode 100755 index 0000000..c7e1c3a --- /dev/null +++ b/bin/hardening/8.1.11_record_failed_access_file.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.12_record_privileged_commands.sh b/bin/hardening/8.1.12_record_privileged_commands.sh new file mode 100755 index 0000000..d067596 --- /dev/null +++ b/bin/hardening/8.1.12_record_privileged_commands.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.12 Collect Use of Privileged Commands (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Find all files with setuid or setgid set +AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ +"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \ +-k privileged" }') +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.13_record_successful_mount.sh b/bin/hardening/8.1.13_record_successful_mount.sh new file mode 100755 index 0000000..8e64cdc --- /dev/null +++ b/bin/hardening/8.1.13_record_successful_mount.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.13 Collect Successful File System Mounts (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.14_record_file_deletions.sh b/bin/hardening/8.1.14_record_file_deletions.sh new file mode 100755 index 0000000..2b3cf19 --- /dev/null +++ b/bin/hardening/8.1.14_record_file_deletions.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.14 Collect File Deletion Events by User (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.15_record_sudoers_edit.sh b/bin/hardening/8.1.15_record_sudoers_edit.sh new file mode 100755 index 0000000..9fc5215 --- /dev/null +++ b/bin/hardening/8.1.15_record_sudoers_edit.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.15 Collect Changes to System Administration Scope (sudoers) (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers +-w /etc/sudoers.d/ -p wa -k sudoers' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.16_record_sudo_usage.sh b/bin/hardening/8.1.16_record_sudo_usage.sh new file mode 100755 index 0000000..c3c87e5 --- /dev/null +++ b/bin/hardening/8.1.16_record_sudo_usage.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.16 Collect System Administrator Actions (sudolog) (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.17_record_kernel_modules.sh b/bin/hardening/8.1.17_record_kernel_modules.sh new file mode 100755 index 0000000..eac57af --- /dev/null +++ b/bin/hardening/8.1.17_record_kernel_modules.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.17 Collect Kernel Module Loading and Unloading (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.18_freeze_auditd_conf.sh b/bin/hardening/8.1.18_freeze_auditd_conf.sh new file mode 100755 index 0000000..335b044 --- /dev/null +++ b/bin/hardening/8.1.18_freeze_auditd_conf.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.18 Make the Audit Configuration Immutable (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-e 2' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.2_enable_auditd.sh b/bin/hardening/8.1.2_enable_auditd.sh new file mode 100755 index 0000000..a2c3472 --- /dev/null +++ b/bin/hardening/8.1.2_enable_auditd.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.2 Install and Enable auditd Service (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='auditd' +SERVICE_NAME='auditd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + is_service_enabled $SERVICE_NAME + if [ $FNRET = 0 ]; then + ok "$SERVICE_NAME is enabled" + else + crit "$SERVICE_NAME is not enabled" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + warn "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + is_service_enabled $SERVICE_NAME + if [ $FNRET = 0 ]; then + ok "$SERVICE_NAME is enabled" + else + warn "$SERVICE_NAME is not enabled, enabling it" + update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 + update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1 + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.3_audit_bootloader.sh b/bin/hardening/8.1.3_audit_bootloader.sh new file mode 100755 index 0000000..9914a58 --- /dev/null +++ b/bin/hardening/8.1.3_audit_bootloader.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.3 Enable Auditing for Processes That Start Prior to auditd (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/default/grub' +OPTIONS='GRUB_CMDLINE_LINUX="audit=1"' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist, checking configuration" + for GRUB_OPTION in $OPTIONS; do + GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) + GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) + PATTERN="^$GRUB_PARAM=$GRUB_VALUE" + debug "$GRUB_PARAM must have value $GRUB_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE" + else + ok "$PATTERN present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + else + ok "$FILE exist" + fi + for GRUB_OPTION in $OPTIONS; do + GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) + GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) + debug "$GRUB_PARAM must have value $GRUB_VALUE" + PATTERN="^$GRUB_PARAM=$GRUB_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$GRUB_PARAM" + if [ $FNRET != 0 ]; then + info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end" + add_end_of_file $FILE "$GRUB_PARAM = $GRUB_VALUE" + else + info "Parameter $GRUB_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE" + fi + else + ok "$PATTERN present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.4_record_date_time_edit.sh b/bin/hardening/8.1.4_record_date_time_edit.sh new file mode 100755 index 0000000..f2f5f29 --- /dev/null +++ b/bin/hardening/8.1.4_record_date_time_edit.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.4 Record Events That Modify Date and Time Information (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.5_record_user_group_edit.sh b/bin/hardening/8.1.5_record_user_group_edit.sh new file mode 100755 index 0000000..706f4bb --- /dev/null +++ b/bin/hardening/8.1.5_record_user_group_edit.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.5 Record Events That Modify User/Group Information (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.6_record_network_edit.sh b/bin/hardening/8.1.6_record_network_edit.sh new file mode 100755 index 0000000..4e0c718 --- /dev/null +++ b/bin/hardening/8.1.6_record_network_edit.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.6 Record Events That Modify the System's Network Environment (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.7_record_mac_edit.sh b/bin/hardening/8.1.7_record_mac_edit.sh new file mode 100755 index 0000000..78f0bff --- /dev/null +++ b/bin/hardening/8.1.7_record_mac_edit.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.7 Record Events That Modify the System's Mandatory Access Controls (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.8_record_login_logout.sh b/bin/hardening/8.1.8_record_login_logout.sh new file mode 100755 index 0000000..7d35a38 --- /dev/null +++ b/bin/hardening/8.1.8_record_login_logout.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.8 Collect Login and Logout Events (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.9_record_session_init.sh b/bin/hardening/8.1.9_record_session_init.sh new file mode 100755 index 0000000..b939105 --- /dev/null +++ b/bin/hardening/8.1.9_record_session_init.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.1.9 Collect Session Initiation Information (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k session +-w /var/log/btmp -p wa -k session' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.2.1_install_syslog-ng.sh b/bin/hardening/8.2.1_install_syslog-ng.sh new file mode 100755 index 0000000..aa56a5f --- /dev/null +++ b/bin/hardening/8.2.1_install_syslog-ng.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.2.1 Install the syslog-ng package (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# NB : in CIS, rsyslog has been chosen, however we chose syslog-ng +PACKAGE='syslog-ng' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.2.2_enable_syslog-ng.sh b/bin/hardening/8.2.2_enable_syslog-ng.sh new file mode 100755 index 0000000..9b08561 --- /dev/null +++ b/bin/hardening/8.2.2_enable_syslog-ng.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.2.2 Ensure the syslog-ng Service is activated (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SERVICE_NAME="syslog-ng" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if $SERVICE_NAME is enabled" + is_service_enabled $SERVICE_NAME + if [ $FNRET = 0 ]; then + ok "$SERVICE_NAME is enabled" + else + crit "$SERVICE_NAME is disabled" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Checking if $SERVICE_NAME is enabled" + is_service_enabled $SERVICE_NAME + if [ $FNRET != 0 ]; then + info "Enabling $SERVICE_NAME" + update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 + update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1 + else + ok "$SERVICE_NAME is enabled" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.2.3_configure_syslog-ng.sh b/bin/hardening/8.2.3_configure_syslog-ng.sh new file mode 100755 index 0000000..ae0351f --- /dev/null +++ b/bin/hardening/8.2.3_configure_syslog-ng.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.2.3 Configure /etc/syslog-ng/syslog-ng.conf (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SERVICE_NAME="syslog-ng" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Ensure default and local facilities are preserved on the system" + info "No measure here, please review the file by yourself" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Ensure default and local facilities are preserved on the system" + info "No measure here, please review the file by yourself" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.2.4_set_logfile_perm.sh b/bin/hardening/8.2.4_set_logfile_perm.sh new file mode 100755 index 0000000..cd48564 --- /dev/null +++ b/bin/hardening/8.2.4_set_logfile_perm.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.2.4 Create and Set Permissions on rsyslog Log Files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PERMISSIONS='640' +USER='root' +GROUP='adm' + +# This function will be called if the script status is on enabled / audit mode +audit () { + FILES=$(grep "file(" $SYSLOG_BASEDIR/syslog-ng.conf | grep '"' | cut -d'"' -f 2) + for FILE in $FILES; do + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for FILE in $FILES; do + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi + done +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.2.5_syslog-ng_remote_host.sh b/bin/hardening/8.2.5_syslog-ng_remote_host.sh new file mode 100755 index 0000000..5f5e942 --- /dev/null +++ b/bin/hardening/8.2.5_syslog-ng_remote_host.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.2.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PATTERN='^destination.*(tcp|udp)[[:space:]]*\([[:space:]]*\".*\"[[:space:]]*\)' + +# This function will be called if the script status is on enabled / audit mode +audit () { + FILES="$SYSLOG_BASEDIR/syslog-ng.conf $SYSLOG_BASEDIR/conf.d/*" + does_pattern_exists_in_file "$FILES" "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILES" + else + ok "$PATTERN present in $FILES" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + FILES="$SYSLOG_BASEDIR/syslog-ng.conf $SYSLOG_BASEDIR/conf.d/*" + does_pattern_exists_in_file "$FILES" "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILES, please set a remote host to send your logs" + else + ok "$PATTERN present in $FILES" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.2.6_remote_syslog-ng_acl.sh b/bin/hardening/8.2.6_remote_syslog-ng_acl.sh new file mode 100755 index 0000000..0c80c3f --- /dev/null +++ b/bin/hardening/8.2.6_remote_syslog-ng_acl.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.3.1_install_tripwire.sh b/bin/hardening/8.3.1_install_tripwire.sh new file mode 100755 index 0000000..6bc85c9 --- /dev/null +++ b/bin/hardening/8.3.1_install_tripwire.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.3.1 Install tripwire package (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# NB : in CIS, AIDE has been chosen, however we chose tripwire +PACKAGE='tripwire' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + info "Tripwire is now installed but not fully functionnal, please see readme to go further" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.3.2_tripwire_cron.sh b/bin/hardening/8.3.2_tripwire_cron.sh new file mode 100755 index 0000000..c119a08 --- /dev/null +++ b/bin/hardening/8.3.2_tripwire_cron.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.3.2 Implement Periodic Execution of File Integrity (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILES='/etc/crontab /etc/cron.d/*' +PATTERN='tripwire --check' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file "$FILES" "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILES" + else + ok "$PATTERN present in $FILES" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file "$FILES" "$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILES, setting tripwire cron" + echo "0 10 * * * root /usr/sbin/tripwire --check > /dev/shm/tripwire_check 2>&1 " > /etc/cron.d/CIS_8.3.2_tripwire + else + ok "$PATTERN present in $FILES" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.4_configure_logrotate.sh b/bin/hardening/8.4_configure_logrotate.sh new file mode 100755 index 0000000..8f93e73 --- /dev/null +++ b/bin/hardening/8.4_configure_logrotate.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 8.4 Configure logrotate (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SERVICE_NAME="syslog-ng" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Ensure logs are properly rotated (especially syslog-ng)" + info "No measure here, please review the files by yourself" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Ensure logs are properly rotated (especially syslog-ng)" + info "No measure here, please review the file by yourself" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.1_enable_cron.sh b/bin/hardening/9.1.1_enable_cron.sh new file mode 100755 index 0000000..6dc1ce5 --- /dev/null +++ b/bin/hardening/9.1.1_enable_cron.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.1.1 Enable cron Daemon (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE="cron" +SERVICE_NAME="cron" + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + is_service_enabled $SERVICE_NAME + if [ $FNRET = 0 ]; then + ok "$SERVICE_NAME is enabled" + else + crit "$SERVICE_NAME is disabled" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + is_service_enabled $SERVICE_NAME + if [ $FNRET != 0 ]; then + info "Enabling $SERVICE_NAME" + update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 + update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1 + else + ok "$SERVICE_NAME is enabled" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.2_crontab_perm_ownership.sh b/bin/hardening/9.1.2_crontab_perm_ownership.sh new file mode 100755 index 0000000..b3ecd62 --- /dev/null +++ b/bin/hardening/9.1.2_crontab_perm_ownership.sh @@ -0,0 +1,84 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/crontab' +PERMISSIONS='600' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh b/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh new file mode 100755 index 0000000..25595a9 --- /dev/null +++ b/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh @@ -0,0 +1,84 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.1.3 Set User/Group Owner and Permission on /etc/cron.hourly (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/cron.hourly' +PERMISSIONS='700' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.4_cron_daily_perm_ownership.sh b/bin/hardening/9.1.4_cron_daily_perm_ownership.sh new file mode 100755 index 0000000..122ec4a --- /dev/null +++ b/bin/hardening/9.1.4_cron_daily_perm_ownership.sh @@ -0,0 +1,84 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.1.4 Set User/Group Owner and Permission on /etc/cron.daily (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/cron.daily' +PERMISSIONS='700' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh b/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh new file mode 100755 index 0000000..21bca7c --- /dev/null +++ b/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh @@ -0,0 +1,84 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.1.5 Set User/Group Owner and Permission on /etc/cron.weekly (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/cron.weekly' +PERMISSIONS='700' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh b/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh new file mode 100755 index 0000000..38a8bd1 --- /dev/null +++ b/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh @@ -0,0 +1,84 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.1.6 Set User/Group Owner and Permission on /etc/cron.monthly (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/cron.monthly' +PERMISSIONS='700' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.7_cron_d_perm_ownership.sh b/bin/hardening/9.1.7_cron_d_perm_ownership.sh new file mode 100755 index 0000000..bca5fb9 --- /dev/null +++ b/bin/hardening/9.1.7_cron_d_perm_ownership.sh @@ -0,0 +1,84 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.1.7 Set User/Group Owner and Permission on /etc/cron.d (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/cron.d' +PERMISSIONS='700' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.8_cron_users.sh b/bin/hardening/9.1.8_cron_users.sh new file mode 100755 index 0000000..2706b5e --- /dev/null +++ b/bin/hardening/9.1.8_cron_users.sh @@ -0,0 +1,111 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.1.8 Restrict at/cron to Authorized Users (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILES_ABSENT='/etc/cron.deny /etc/at.deny' +FILES_PRESENT='/etc/cron.allow /etc/at.allow' +PERMISSIONS='600' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for FILE in $FILES_ABSENT; do + does_file_exist $FILE + if [ $FNRET = 0 ]; then + crit "$FILE exists" + else + ok "$FILE is absent" + fi + done + for FILE in $FILES_PRESENT; do + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE is absent" + else + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for FILE in $FILES_ABSENT; do + does_file_exist $FILE + if [ $FNRET = 0 ]; then + warn "$FILE exists" + rm $FILE + else + ok "$FILE is absent" + fi + done + for FILE in $FILES_PRESENT; do + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE is absent" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + warn "$FILE has not $PERMISSIONS permissions set" + chmod 0$PERMISSIONS $FILE + fi + done +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.2.1_enable_cracklib.sh b/bin/hardening/9.2.1_enable_cracklib.sh new file mode 100755 index 0000000..0f0eb5e --- /dev/null +++ b/bin/hardening/9.2.1_enable_cracklib.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='libpam-cracklib' +PATTERN='^password.*pam_cracklib.so' +FILE='/etc/pam.d/common-password' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details." + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.2.2_enable_lockout_failed_password.sh b/bin/hardening/9.2.2_enable_lockout_failed_password.sh new file mode 100755 index 0000000..4144119 --- /dev/null +++ b/bin/hardening/9.2.2_enable_lockout_failed_password.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.2.2 Set Lockout for Failed Password Attempts (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='libpam-modules-bin' +PATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?.so' +FILE='/etc/pam.d/login' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + add_line_file_before_pattern $FILE "auth required pam_tally.so onerr=fail deny=6 unlock_time=1800" "# Uncomment and edit \/etc\/security\/time.conf if you need to set" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.2.3_limit_password_reuse.sh b/bin/hardening/9.2.3_limit_password_reuse.sh new file mode 100755 index 0000000..2b81158 --- /dev/null +++ b/bin/hardening/9.2.3_limit_password_reuse.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.2.3 Limit Password Reuse (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='libpam-modules' +PATTERN='^password.*remember' +FILE='/etc/pam.d/common-password' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE" + add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details." + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.10_disable_sshd_setenv.sh b/bin/hardening/9.3.10_disable_sshd_setenv.sh new file mode 100755 index 0000000..e0f9d5f --- /dev/null +++ b/bin/hardening/9.3.10_disable_sshd_setenv.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.3.10 Do Not Allow Users to Set Environment Options (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='PermitUserEnvironment=no' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.11_sshd_ciphers.sh b/bin/hardening/9.3.11_sshd_ciphers.sh new file mode 100755 index 0000000..4836119 --- /dev/null +++ b/bin/hardening/9.3.11_sshd_ciphers.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.3.11 Use Only Approved Cipher in Counter Mode (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='Ciphers=aes128-ctr,aes192-ctr,aes256-ctr' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.12_sshd_idle_timeout.sh b/bin/hardening/9.3.12_sshd_idle_timeout.sh new file mode 100755 index 0000000..94e4da2 --- /dev/null +++ b/bin/hardening/9.3.12_sshd_idle_timeout.sh @@ -0,0 +1,89 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.3.12 Set Idle Timeout Interval for User Login (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + OPTIONS="ClientAliveInterval=$SSHD_TIMEOUT ClientAliveCountMax=0" + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + if [ -z $SSHD_TIMEOUT ]; then + crit "SSHD_TIMEOUT is not set, please edit configuration file" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.13_sshd_limit_access.sh b/bin/hardening/9.3.13_sshd_limit_access.sh new file mode 100755 index 0000000..f6475f8 --- /dev/null +++ b/bin/hardening/9.3.13_sshd_limit_access.sh @@ -0,0 +1,103 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.3.13 Limit Access via SSH (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'" + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + if [ -z $ALLOWED_USERS ]; then + info "ALLOWED_USERS is not set, defaults to wildcard" + ALLOWED_USERS="*" + fi + if [ -z $ALLOWED_GROUPS ]; then + info "ALLOWED_GROUPS is not set, defaults to wildcard" + ALLOWED_GROUPS="*" + fi + if [ -z $DENIED_USERS ]; then + info "DENIED_USERS is not set, defaults to nobody" + DENIED_USERS="nobody" + fi + if [ -z $DENIED_GROUPS ]; then + info "DENIED_GROUPS is not set, defaults to nobody" + DENIED_GROUPS="nobody" + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.14_ssh_banner.sh b/bin/hardening/9.3.14_ssh_banner.sh new file mode 100755 index 0000000..b44a310 --- /dev/null +++ b/bin/hardening/9.3.14_ssh_banner.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.3.14 Set SSH Banner (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + OPTIONS="Banner=$BANNER_FILE" + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + PATTERN="^$SSH_PARAM[[:space:]]*" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present and activated" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + if [ -z $BANNER_FILE ]; then + info "BANNER_FILE is not set, defaults to wildcard" + BANNER_FILE='/etc/issue.net' + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.1_sshd_protocol.sh b/bin/hardening/9.3.1_sshd_protocol.sh new file mode 100755 index 0000000..ad0c5f3 --- /dev/null +++ b/bin/hardening/9.3.1_sshd_protocol.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.3.1 Set SSH Protocol to 2 (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='Protocol=2' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload > /dev/null 2>&1 + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.2_sshd_loglevel.sh b/bin/hardening/9.3.2_sshd_loglevel.sh new file mode 100755 index 0000000..b15af1b --- /dev/null +++ b/bin/hardening/9.3.2_sshd_loglevel.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.3.2 Set LogLevel to INFO (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='LogLevel=INFO' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload > /dev/null 2>&1 + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh b/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh new file mode 100755 index 0000000..0acef81 --- /dev/null +++ b/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh @@ -0,0 +1,84 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.3.3 Set Permissions on /etc/ssh/sshd_config (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/ssh/sshd_config' +PERMISSIONS='600' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.4_disable_x11_forwarding.sh b/bin/hardening/9.3.4_disable_x11_forwarding.sh new file mode 100755 index 0000000..57df8d5 --- /dev/null +++ b/bin/hardening/9.3.4_disable_x11_forwarding.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.3.4 Disable SSH X11 Forwarding (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='X11Forwarding=no' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload > /dev/null 2>&1 + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.5_sshd_maxauthtries.sh b/bin/hardening/9.3.5_sshd_maxauthtries.sh new file mode 100755 index 0000000..00db940 --- /dev/null +++ b/bin/hardening/9.3.5_sshd_maxauthtries.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.3.5 Set SSH MaxAuthTries to 4 or Less (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='MaxAuthTries=4' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh b/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh new file mode 100755 index 0000000..e74c30c --- /dev/null +++ b/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.3.6 Set SSH IgnoreRhosts to Yes (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='IgnoreRhosts=yes' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh b/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh new file mode 100755 index 0000000..4ae0486 --- /dev/null +++ b/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.3.7 Set SSH HostbasedAuthentication to No (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='HostbasedAuthentication=no' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.8_disable_root_login.sh b/bin/hardening/9.3.8_disable_root_login.sh new file mode 100755 index 0000000..890e636 --- /dev/null +++ b/bin/hardening/9.3.8_disable_root_login.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.3.8 Disable SSH Root Login (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='PermitRootLogin=no' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh b/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh new file mode 100755 index 0000000..bda4337 --- /dev/null +++ b/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.3.9 Set SSH PermitEmptyPasswords to No (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='PermitRootLogin=no' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.4_secure_tty.sh b/bin/hardening/9.4_secure_tty.sh new file mode 100755 index 0000000..e809230 --- /dev/null +++ b/bin/hardening/9.4_secure_tty.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.4 Restrict root Login to System Console (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/securetty' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Remove terminal entries in $FILE for any consoles that are not in a physically secure location." + info "No measure here, please review the file by yourself" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Remove terminal entries in $FILE for any consoles that are not in a physically secure location." + info "No measure here, please review the file by yourself" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.5_restrict_su.sh b/bin/hardening/9.5_restrict_su.sh new file mode 100755 index 0000000..e79f726 --- /dev/null +++ b/bin/hardening/9.5_restrict_su.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 9.5 Restrict Access to the su Command (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='login' +PATTERN='^auth[[:space:]]*required[[:space:]]*pam_wheel.so' +FILE='/etc/pam.d/su' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + add_line_file_before_pattern $FILE "auth required pam_wheel.so" "# Uncomment this if you want wheel members to be able to" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/99.1_timeout_tty.sh b/bin/hardening/99.1_timeout_tty.sh new file mode 100755 index 0000000..9c14f24 --- /dev/null +++ b/bin/hardening/99.1_timeout_tty.sh @@ -0,0 +1,62 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening /!\ Not in the Guide +# + +# +# 99.1 Set Timeout on ttys +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +USER='root' +PATTERN='^TMOUT=' +VALUE='600' +FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile' +FILE='/etc/profile.d/CIS_99.1_timeout.sh' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILES_TO_SEARCH" + else + ok "$PATTERN present in $FILES_TO_SEARCH" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILES_TO_SEARCH" + touch $FILE + chmod 644 $FILE + add_end_of_file $FILE "$PATTERN$VALUE" + add_end_of_file $FILE "readonly TMOUT" + add_end_of_file $FILE "export TMOUT" + else + ok "$PATTERN present in $FILES_TO_SEARCH" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/99.2_disable_usb_devices.sh b/bin/hardening/99.2_disable_usb_devices.sh new file mode 100755 index 0000000..9c40d04 --- /dev/null +++ b/bin/hardening/99.2_disable_usb_devices.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening /!\ Not in the Guide +# + +# +# 99.2 Disable USB Devices +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +USER='root' +PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' # We do test disabled by default, whitelist is up to you +FILES_TO_SEARCH='/etc/udev/rules.d/*' +FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILES_TO_SEARCH" + else + ok "$PATTERN present in $FILES_TO_SEARCH" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILES_TO_SEARCH" + touch $FILE + chmod 644 $FILE + add_end_of_file $FILE ' +# By default, disable all. +ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0" + +# Enable hub devices. +ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1" + +# Enables keyboard devices +ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1" + +# PS2-USB converter +ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1" +' + else + ok "$PATTERN present in $FILES_TO_SEARCH" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/postinstall/tripwire.sh b/bin/postinstall/tripwire.sh new file mode 100755 index 0000000..bb043e7 --- /dev/null +++ b/bin/postinstall/tripwire.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# If you followed this CIS hardenning, this script follows 8.3.1_install_tripwire.sh +# After installing tripwire, you may want to run those few commented commands to make it fully functionnal + +echo "Generating Site key file..." +twadmin -m G -S /etc/tripwire/site.key # Generates Site key file +echo "Generating Local key file..." +twadmin -m G -S /etc/tripwire/$(hostname -f)-local.key # Generate local key file +echo "Generating encrypted policy..." +twadmin -m P /etc/tripwire/twpol.txt # Apply new policy with generated site key file +echo "Generating Local database with newly created key..." +/usr/sbin/twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt # Init database with generated local key file +echo "Testing tripwire database update" +tripwire -m i # Test configuration update +~ diff --git a/etc/conf.d/1.1_Install_Updates.cfg b/etc/conf.d/1.1_install_updates.cfg similarity index 100% rename from etc/conf.d/1.1_Install_Updates.cfg rename to etc/conf.d/1.1_install_updates.cfg diff --git a/etc/conf.d/10.1.1_set_password_exp_days.cfg b/etc/conf.d/10.1.1_set_password_exp_days.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/10.1.1_set_password_exp_days.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/10.1.2_set_password_min_days_change.cfg b/etc/conf.d/10.1.2_set_password_min_days_change.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/10.1.2_set_password_min_days_change.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/10.1.3_set_password_exp_warning_days.cfg b/etc/conf.d/10.1.3_set_password_exp_warning_days.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/10.1.3_set_password_exp_warning_days.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/10.2_disable_system_accounts.cfg b/etc/conf.d/10.2_disable_system_accounts.cfg new file mode 100644 index 0000000..984069e --- /dev/null +++ b/etc/conf.d/10.2_disable_system_accounts.cfg @@ -0,0 +1,4 @@ +# Configuration for script of same name +status=disabled +# Put here your exceptions concerning admin accounts shells separated by spaces +EXCEPTIONS="" diff --git a/etc/conf.d/10.3_default_root_group.cfg b/etc/conf.d/10.3_default_root_group.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/10.3_default_root_group.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/10.4_default_umask.cfg b/etc/conf.d/10.4_default_umask.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/10.4_default_umask.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/10.5_lock_inactive_user_account.cfg b/etc/conf.d/10.5_lock_inactive_user_account.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/10.5_lock_inactive_user_account.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/11.1_warning_banners.cfg b/etc/conf.d/11.1_warning_banners.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/11.1_warning_banners.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/11.2_remove_os_info_warning_banners.cfg b/etc/conf.d/11.2_remove_os_info_warning_banners.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/11.2_remove_os_info_warning_banners.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/11.3_graphical_warning_banners.cfg b/etc/conf.d/11.3_graphical_warning_banners.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/11.3_graphical_warning_banners.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/12.10_find_suid_files.cfg b/etc/conf.d/12.10_find_suid_files.cfg new file mode 100644 index 0000000..102c278 --- /dev/null +++ b/etc/conf.d/12.10_find_suid_files.cfg @@ -0,0 +1,5 @@ +# Configuration for script of same name +status=disabled + +# Put Here your valid suid binaries so that they do not appear during the audit +EXCEPTIONS="/bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/fping /usr/bin/fping6 /usr/bin/gpasswd /usr/bin/mtr /usr/bin/newgrp /usr/bin/passwd /usr/bin/sudo /usr/bin/sudoedit /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown" diff --git a/etc/conf.d/12.11_find_sgid_files.cfg b/etc/conf.d/12.11_find_sgid_files.cfg new file mode 100644 index 0000000..066ca9e --- /dev/null +++ b/etc/conf.d/12.11_find_sgid_files.cfg @@ -0,0 +1,4 @@ +# Configuration for script of same name +status=disabled +# Put here valid binaries with sgid enabled separated by spaces +EXCEPTIONS="/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue" diff --git a/etc/conf.d/12.1_etc_passwd_permissions.cfg b/etc/conf.d/12.1_etc_passwd_permissions.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/12.1_etc_passwd_permissions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/12.2_etc_shadow_permissions.cfg b/etc/conf.d/12.2_etc_shadow_permissions.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/12.2_etc_shadow_permissions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/12.3_etc_group_permissions.cfg b/etc/conf.d/12.3_etc_group_permissions.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/12.3_etc_group_permissions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/12.4_etc_passwd_ownership.cfg b/etc/conf.d/12.4_etc_passwd_ownership.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/12.4_etc_passwd_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/12.5_etc_shadow_ownership.cfg b/etc/conf.d/12.5_etc_shadow_ownership.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/12.5_etc_shadow_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/12.6_etc_group_ownership.cfg b/etc/conf.d/12.6_etc_group_ownership.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/12.6_etc_group_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/12.7_find_world_writable_file.cfg b/etc/conf.d/12.7_find_world_writable_file.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/12.7_find_world_writable_file.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/12.8_find_unowned_files.cfg b/etc/conf.d/12.8_find_unowned_files.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/12.8_find_unowned_files.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/12.9_find_ungrouped_files.cfg b/etc/conf.d/12.9_find_ungrouped_files.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/12.9_find_ungrouped_files.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.10_find_user_rhosts_files.cfg b/etc/conf.d/13.10_find_user_rhosts_files.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.10_find_user_rhosts_files.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg b/etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.12_users_valid_homedir.cfg b/etc/conf.d/13.12_users_valid_homedir.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.12_users_valid_homedir.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.13_check_user_homedir_ownership.cfg b/etc/conf.d/13.13_check_user_homedir_ownership.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.13_check_user_homedir_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.14_check_duplicate_uid.cfg b/etc/conf.d/13.14_check_duplicate_uid.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.14_check_duplicate_uid.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.15_check_duplicate_gid.cfg b/etc/conf.d/13.15_check_duplicate_gid.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.15_check_duplicate_gid.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.16_check_duplicate_username.cfg b/etc/conf.d/13.16_check_duplicate_username.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.16_check_duplicate_username.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.17_check_duplicate_groupname.cfg b/etc/conf.d/13.17_check_duplicate_groupname.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.17_check_duplicate_groupname.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.18_find_user_netrc_files.cfg b/etc/conf.d/13.18_find_user_netrc_files.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.18_find_user_netrc_files.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.19_find_user_forward_files.cfg b/etc/conf.d/13.19_find_user_forward_files.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.19_find_user_forward_files.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.1_remove_empty_password_field.cfg b/etc/conf.d/13.1_remove_empty_password_field.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.1_remove_empty_password_field.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.20_shadow_group_empty.cfg b/etc/conf.d/13.20_shadow_group_empty.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.20_shadow_group_empty.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.2_remove_legacy_passwd_entries.cfg b/etc/conf.d/13.2_remove_legacy_passwd_entries.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.2_remove_legacy_passwd_entries.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.3_remove_legacy_shadow_entries.cfg b/etc/conf.d/13.3_remove_legacy_shadow_entries.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.3_remove_legacy_shadow_entries.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.4_remove_legacy_group_entries.cfg b/etc/conf.d/13.4_remove_legacy_group_entries.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.4_remove_legacy_group_entries.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.5_find_0_uid_non_root_account.cfg b/etc/conf.d/13.5_find_0_uid_non_root_account.cfg new file mode 100644 index 0000000..9575e88 --- /dev/null +++ b/etc/conf.d/13.5_find_0_uid_non_root_account.cfg @@ -0,0 +1,4 @@ +# Configuration for script of same name +status=disabled +# Put here valid accounts with uid 0 separated by spaces +EXCEPTIONS="" diff --git a/etc/conf.d/13.6_sanitize_root_path.cfg b/etc/conf.d/13.6_sanitize_root_path.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.6_sanitize_root_path.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.7_check_user_dir_perm.cfg b/etc/conf.d/13.7_check_user_dir_perm.cfg new file mode 100644 index 0000000..16b509e --- /dev/null +++ b/etc/conf.d/13.7_check_user_dir_perm.cfg @@ -0,0 +1,4 @@ +# Configuration for script of same name +status=disabled +# Put here user home directories exceptions, separated by spaces +EXCEPTIONS="" diff --git a/etc/conf.d/13.8_check_user_dot_file_perm.cfg b/etc/conf.d/13.8_check_user_dot_file_perm.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.8_check_user_dot_file_perm.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/13.9_set_perm_on_user_netrc.cfg b/etc/conf.d/13.9_set_perm_on_user_netrc.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/13.9_set_perm_on_user_netrc.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.10_home_nodev.cfg b/etc/conf.d/2.10_home_nodev.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.10_home_nodev.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.11_removable_device_nodev.cfg b/etc/conf.d/2.11_removable_device_nodev.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.11_removable_device_nodev.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.12_removable_device_noexec.cfg b/etc/conf.d/2.12_removable_device_noexec.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.12_removable_device_noexec.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.13_removable_device_nosuid.cfg b/etc/conf.d/2.13_removable_device_nosuid.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.13_removable_device_nosuid.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.14_run_shm_nodev.cfg b/etc/conf.d/2.14_run_shm_nodev.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.14_run_shm_nodev.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.15_run_shm_nosuid.cfg b/etc/conf.d/2.15_run_shm_nosuid.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.15_run_shm_nosuid.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.16_run_shm_noexec.cfg b/etc/conf.d/2.16_run_shm_noexec.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.16_run_shm_noexec.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.17_sticky_bit_world_writable_folder.cfg b/etc/conf.d/2.17_sticky_bit_world_writable_folder.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.17_sticky_bit_world_writable_folder.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.18_disable_cramfs.cfg b/etc/conf.d/2.18_disable_cramfs.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.18_disable_cramfs.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.19_disable_freevxfs.cfg b/etc/conf.d/2.19_disable_freevxfs.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.19_disable_freevxfs.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.1_tmp_partition.cfg b/etc/conf.d/2.1_tmp_partition.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.1_tmp_partition.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.20_disable_jffs2.cfg b/etc/conf.d/2.20_disable_jffs2.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.20_disable_jffs2.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.21_disable_hfs.cfg b/etc/conf.d/2.21_disable_hfs.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.21_disable_hfs.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.22_disable_hfsplus.cfg b/etc/conf.d/2.22_disable_hfsplus.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.22_disable_hfsplus.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.23_disable_squashfs.cfg b/etc/conf.d/2.23_disable_squashfs.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.23_disable_squashfs.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.24_disable_udf.cfg b/etc/conf.d/2.24_disable_udf.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.24_disable_udf.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.25_disable_automounting.cfg b/etc/conf.d/2.25_disable_automounting.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.25_disable_automounting.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.2_tmp_nodev.cfg b/etc/conf.d/2.2_tmp_nodev.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.2_tmp_nodev.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.3_tmp_nosuid.cfg b/etc/conf.d/2.3_tmp_nosuid.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.3_tmp_nosuid.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.4_tmp_noexec.cfg b/etc/conf.d/2.4_tmp_noexec.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.4_tmp_noexec.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.5_var_partition.cfg b/etc/conf.d/2.5_var_partition.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.5_var_partition.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.6.1_var_tmp_partition.cfg b/etc/conf.d/2.6.1_var_tmp_partition.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.6.1_var_tmp_partition.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.6.2_var_tmp_nodev.cfg b/etc/conf.d/2.6.2_var_tmp_nodev.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.6.2_var_tmp_nodev.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.6.3_var_tmp_nosuid.cfg b/etc/conf.d/2.6.3_var_tmp_nosuid.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.6.3_var_tmp_nosuid.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.6.4_var_tmp_noexec.cfg b/etc/conf.d/2.6.4_var_tmp_noexec.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.6.4_var_tmp_noexec.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.7_var_log_partition.cfg b/etc/conf.d/2.7_var_log_partition.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.7_var_log_partition.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.8_var_log_audit_partition.cfg b/etc/conf.d/2.8_var_log_audit_partition.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.8_var_log_audit_partition.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.9_home_partition.cfg b/etc/conf.d/2.9_home_partition.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.9_home_partition.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/3.1_bootloader_ownership.cfg b/etc/conf.d/3.1_bootloader_ownership.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/3.1_bootloader_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/3.2_bootloader_permissions.cfg b/etc/conf.d/3.2_bootloader_permissions.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/3.2_bootloader_permissions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/3.3_bootloader_password.cfg b/etc/conf.d/3.3_bootloader_password.cfg new file mode 100644 index 0000000..307f40e --- /dev/null +++ b/etc/conf.d/3.3_bootloader_password.cfg @@ -0,0 +1,19 @@ +# Configuration for script of same name +status=disabled + +###### Grub configuration example : +#~ # id +#uid=0(root) gid=0(root) groups=0(root) +#~ # ls /etc/grub.d/01_users -l +#-rwxr-xr-x 1 root root 390 Apr 11 11:04 /etc/grub.d/01_users +# +# ~ # cat /etc/grub.d/01_users +##!/bin/sh +# +## Grub password file +# +#cat << EOF +#set superusers="osp" +#password FOR_GRUB # this is a drity hack for chmod 400 by grub-mkconfig +#password_pbkdf2 osp grub.pbkdf2.sha512.10000.28AC55867740A5F1820853347EEFE3CCC67D19540BE8ACCE5E354A18DDD8D4A48AACC5F9FCAE08593B05D0E131568456F02A44F1D01C7E194635CE664410F885.07A8B0B957098D4A13B6CE77A62431945A98DCF20313AFAC86346957E6F67827B252F3BF395D82E8C25036AA89AE6BA13F946523FB02F6C3A605B3B312658D6E +#EOF diff --git a/etc/conf.d/3.4_root_password.cfg b/etc/conf.d/3.4_root_password.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/3.4_root_password.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/4.1_restrict_core_dumps.cfg b/etc/conf.d/4.1_restrict_core_dumps.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/4.1_restrict_core_dumps.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/4.2_enable_nx_support.cfg b/etc/conf.d/4.2_enable_nx_support.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/4.2_enable_nx_support.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/4.3_enable_randomized_vm_placement.cfg b/etc/conf.d/4.3_enable_randomized_vm_placement.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/4.3_enable_randomized_vm_placement.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/4.4_disable_prelink.cfg b/etc/conf.d/4.4_disable_prelink.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/4.4_disable_prelink.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/4.5_enable_apparmor.cfg b/etc/conf.d/4.5_enable_apparmor.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/4.5_enable_apparmor.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/5.1.1_disable_nis.cfg b/etc/conf.d/5.1.1_disable_nis.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/5.1.1_disable_nis.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/5.1.2_disable_rsh.cfg b/etc/conf.d/5.1.2_disable_rsh.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/5.1.2_disable_rsh.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/5.1.3_disable_rsh_client.cfg b/etc/conf.d/5.1.3_disable_rsh_client.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/5.1.3_disable_rsh_client.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/5.1.4_disable_talk.cfg b/etc/conf.d/5.1.4_disable_talk.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/5.1.4_disable_talk.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/5.1.5_disable_talk_client.cfg b/etc/conf.d/5.1.5_disable_talk_client.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/5.1.5_disable_talk_client.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/5.1.6_disable_telnet_server.cfg b/etc/conf.d/5.1.6_disable_telnet_server.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/5.1.6_disable_telnet_server.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/5.1.7_disable_tftp_server.cfg b/etc/conf.d/5.1.7_disable_tftp_server.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/5.1.7_disable_tftp_server.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/5.1.8_disable_inetd.cfg b/etc/conf.d/5.1.8_disable_inetd.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/5.1.8_disable_inetd.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/5.2_disable_chargen.cfg b/etc/conf.d/5.2_disable_chargen.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/5.2_disable_chargen.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/5.3_disable_daytime.cfg b/etc/conf.d/5.3_disable_daytime.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/5.3_disable_daytime.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/5.4_disable_echo.cfg b/etc/conf.d/5.4_disable_echo.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/5.4_disable_echo.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/5.5_disable_discard.cfg b/etc/conf.d/5.5_disable_discard.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/5.5_disable_discard.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/5.6_disable_time.cfg b/etc/conf.d/5.6_disable_time.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/5.6_disable_time.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/6.10_disable_http_server.cfg b/etc/conf.d/6.10_disable_http_server.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/6.10_disable_http_server.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/6.11_disable_imap_pop.cfg b/etc/conf.d/6.11_disable_imap_pop.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/6.11_disable_imap_pop.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/6.12_disable_samba.cfg b/etc/conf.d/6.12_disable_samba.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/6.12_disable_samba.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/6.13_diable_http_proxy.cfg b/etc/conf.d/6.13_diable_http_proxy.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/6.13_diable_http_proxy.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/6.14_disable_snmp_server.cfg b/etc/conf.d/6.14_disable_snmp_server.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/6.14_disable_snmp_server.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/6.15_mta_localhost.cfg b/etc/conf.d/6.15_mta_localhost.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/6.15_mta_localhost.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/6.16_disable_rsync.cfg b/etc/conf.d/6.16_disable_rsync.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/6.16_disable_rsync.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/6.1_disable_xwindow_system.cfg b/etc/conf.d/6.1_disable_xwindow_system.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/6.1_disable_xwindow_system.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/6.2_disable_avahi_server.cfg b/etc/conf.d/6.2_disable_avahi_server.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/6.2_disable_avahi_server.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/6.3_disable_print_server.cfg b/etc/conf.d/6.3_disable_print_server.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/6.3_disable_print_server.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/6.4_disable_dhcp.cfg b/etc/conf.d/6.4_disable_dhcp.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/6.4_disable_dhcp.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/6.5_configure_ntp.cfg b/etc/conf.d/6.5_configure_ntp.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/6.5_configure_ntp.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/6.6_diable_ldap.cfg b/etc/conf.d/6.6_diable_ldap.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/6.6_diable_ldap.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/6.7_disable_nfs_rpc.cfg b/etc/conf.d/6.7_disable_nfs_rpc.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/6.7_disable_nfs_rpc.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/6.8_disable_dns_server.cfg b/etc/conf.d/6.8_disable_dns_server.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/6.8_disable_dns_server.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/6.9_disable_ftp.cfg b/etc/conf.d/6.9_disable_ftp.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/6.9_disable_ftp.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.1.1_disable_ip_forwarding.cfg b/etc/conf.d/7.1.1_disable_ip_forwarding.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.1.1_disable_ip_forwarding.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.1.2_disable_send_packet_redirects.cfg b/etc/conf.d/7.1.2_disable_send_packet_redirects.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.1.2_disable_send_packet_redirects.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.2.1_disable_source_routed_packets.cfg b/etc/conf.d/7.2.1_disable_source_routed_packets.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.2.1_disable_source_routed_packets.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.2.2_disable_icmp_redirect.cfg b/etc/conf.d/7.2.2_disable_icmp_redirect.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.2.2_disable_icmp_redirect.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.2.3_disable_secure_icmp_redirect.cfg b/etc/conf.d/7.2.3_disable_secure_icmp_redirect.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.2.3_disable_secure_icmp_redirect.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.2.4_log_martian_packets.cfg b/etc/conf.d/7.2.4_log_martian_packets.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.2.4_log_martian_packets.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.2.5_ignore_broadcast_requests.cfg b/etc/conf.d/7.2.5_ignore_broadcast_requests.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.2.5_ignore_broadcast_requests.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.2.6_enable_bad_error_message_protection.cfg b/etc/conf.d/7.2.6_enable_bad_error_message_protection.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.2.6_enable_bad_error_message_protection.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.2.7_enable_source_route_validation.cfg b/etc/conf.d/7.2.7_enable_source_route_validation.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.2.7_enable_source_route_validation.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.2.8_enable_tcp_syn_cookies.cfg b/etc/conf.d/7.2.8_enable_tcp_syn_cookies.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.2.8_enable_tcp_syn_cookies.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.3.1_disable_ipv6_router_advertisement.cfg b/etc/conf.d/7.3.1_disable_ipv6_router_advertisement.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.3.1_disable_ipv6_router_advertisement.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.3.2_disable_ipv6_redirect.cfg b/etc/conf.d/7.3.2_disable_ipv6_redirect.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.3.2_disable_ipv6_redirect.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.3.3_disable_ipv6.cfg b/etc/conf.d/7.3.3_disable_ipv6.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.3.3_disable_ipv6.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.4.1_install_tcp_wrapper.cfg b/etc/conf.d/7.4.1_install_tcp_wrapper.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.4.1_install_tcp_wrapper.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.4.2_hosts_allow.cfg b/etc/conf.d/7.4.2_hosts_allow.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.4.2_hosts_allow.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.4.3_hosts_allow_permissions.cfg b/etc/conf.d/7.4.3_hosts_allow_permissions.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.4.3_hosts_allow_permissions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.4.4_hosts_deny.cfg b/etc/conf.d/7.4.4_hosts_deny.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.4.4_hosts_deny.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.4.5_hosts_deny_permissions.cfg b/etc/conf.d/7.4.5_hosts_deny_permissions.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.4.5_hosts_deny_permissions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.5.1_disable_dccp.cfg b/etc/conf.d/7.5.1_disable_dccp.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.5.1_disable_dccp.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.5.2_disable_sctp.cfg b/etc/conf.d/7.5.2_disable_sctp.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.5.2_disable_sctp.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.5.3_disable_rds.cfg b/etc/conf.d/7.5.3_disable_rds.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.5.3_disable_rds.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.6_disable_wireless.cfg b/etc/conf.d/7.6_disable_wireless.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.6_disable_wireless.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/7.7_enable_firewall.cfg b/etc/conf.d/7.7_enable_firewall.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/7.7_enable_firewall.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.0_enable_auditd_kernel.cfg b/etc/conf.d/8.0_enable_auditd_kernel.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.0_enable_auditd_kernel.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.1.1_audit_log_storage.cfg b/etc/conf.d/8.1.1.1_audit_log_storage.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.1.1_audit_log_storage.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg b/etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg b/etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.10_record_dac_edit.cfg b/etc/conf.d/8.1.10_record_dac_edit.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.10_record_dac_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.11_record_failed_access_file.cfg b/etc/conf.d/8.1.11_record_failed_access_file.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.11_record_failed_access_file.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.12_record_privileged_commands.cfg b/etc/conf.d/8.1.12_record_privileged_commands.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.12_record_privileged_commands.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.13_record_successful_mount.cfg b/etc/conf.d/8.1.13_record_successful_mount.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.13_record_successful_mount.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.14_record_file_deletions.cfg b/etc/conf.d/8.1.14_record_file_deletions.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.14_record_file_deletions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.15_record_sudoers_edit.cfg b/etc/conf.d/8.1.15_record_sudoers_edit.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.15_record_sudoers_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.16_record_sudo_usage.cfg b/etc/conf.d/8.1.16_record_sudo_usage.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.16_record_sudo_usage.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.17_record_kernel_modules.cfg b/etc/conf.d/8.1.17_record_kernel_modules.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.17_record_kernel_modules.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.18_freeze_auditd_conf.cfg b/etc/conf.d/8.1.18_freeze_auditd_conf.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.18_freeze_auditd_conf.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.2_enable_auditd.cfg b/etc/conf.d/8.1.2_enable_auditd.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.2_enable_auditd.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.3_audit_bootloader.cfg b/etc/conf.d/8.1.3_audit_bootloader.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.3_audit_bootloader.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.4_record_date_time_edit.cfg b/etc/conf.d/8.1.4_record_date_time_edit.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.4_record_date_time_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.5_record_user_group_edit.cfg b/etc/conf.d/8.1.5_record_user_group_edit.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.5_record_user_group_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.6_record_network_edit.cfg b/etc/conf.d/8.1.6_record_network_edit.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.6_record_network_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.7_record_mac_edit.cfg b/etc/conf.d/8.1.7_record_mac_edit.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.7_record_mac_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.8_record_login_logout.cfg b/etc/conf.d/8.1.8_record_login_logout.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.8_record_login_logout.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.1.9_record_session_init.cfg b/etc/conf.d/8.1.9_record_session_init.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.1.9_record_session_init.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.2.1_install_syslog-ng.cfg b/etc/conf.d/8.2.1_install_syslog-ng.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.2.1_install_syslog-ng.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.2.2_enable_syslog-ng.cfg b/etc/conf.d/8.2.2_enable_syslog-ng.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.2.2_enable_syslog-ng.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.2.3_configure_syslog-ng.cfg b/etc/conf.d/8.2.3_configure_syslog-ng.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.2.3_configure_syslog-ng.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.2.4_set_logfile_perm.cfg b/etc/conf.d/8.2.4_set_logfile_perm.cfg new file mode 100644 index 0000000..2b93105 --- /dev/null +++ b/etc/conf.d/8.2.4_set_logfile_perm.cfg @@ -0,0 +1,3 @@ +# Configuration for script of same name +status=disabled +SYSLOG_BASEDIR='/etc/syslog-ng' diff --git a/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg b/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg new file mode 100644 index 0000000..2b93105 --- /dev/null +++ b/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg @@ -0,0 +1,3 @@ +# Configuration for script of same name +status=disabled +SYSLOG_BASEDIR='/etc/syslog-ng' diff --git a/etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg b/etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.3.1_install_tripwire.cfg b/etc/conf.d/8.3.1_install_tripwire.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.3.1_install_tripwire.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.3.2_tripwire_cron.cfg b/etc/conf.d/8.3.2_tripwire_cron.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.3.2_tripwire_cron.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/8.4_configure_logrotate.cfg b/etc/conf.d/8.4_configure_logrotate.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/8.4_configure_logrotate.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.1.1_enable_cron.cfg b/etc/conf.d/9.1.1_enable_cron.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.1.1_enable_cron.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.1.2_crontab_perm_ownership.cfg b/etc/conf.d/9.1.2_crontab_perm_ownership.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.1.2_crontab_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg b/etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg b/etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg b/etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg b/etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.1.7_cron_d_perm_ownership.cfg b/etc/conf.d/9.1.7_cron_d_perm_ownership.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.1.7_cron_d_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.1.8_cron_users.cfg b/etc/conf.d/9.1.8_cron_users.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.1.8_cron_users.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.2.1_enable_cracklib.cfg b/etc/conf.d/9.2.1_enable_cracklib.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.2.1_enable_cracklib.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.2.2_enable_lockout_failed_password.cfg b/etc/conf.d/9.2.2_enable_lockout_failed_password.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.2.2_enable_lockout_failed_password.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.2.3_limit_password_reuse.cfg b/etc/conf.d/9.2.3_limit_password_reuse.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.2.3_limit_password_reuse.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.3.10_disable_sshd_setenv.cfg b/etc/conf.d/9.3.10_disable_sshd_setenv.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.3.10_disable_sshd_setenv.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.3.11_sshd_ciphers.cfg b/etc/conf.d/9.3.11_sshd_ciphers.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.3.11_sshd_ciphers.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.3.12_sshd_idle_timeout.cfg b/etc/conf.d/9.3.12_sshd_idle_timeout.cfg new file mode 100644 index 0000000..34efc50 --- /dev/null +++ b/etc/conf.d/9.3.12_sshd_idle_timeout.cfg @@ -0,0 +1,5 @@ +# Configuration for script of same name +status=disabled +# In seconds, value of ClientAliveInterval, ClientAliveCountMax bedoing set to 0 +# Settles sshd idle timeout +SSHD_TIMEOUT=900 diff --git a/etc/conf.d/9.3.13_sshd_limit_access.cfg b/etc/conf.d/9.3.13_sshd_limit_access.cfg new file mode 100644 index 0000000..1fd153a --- /dev/null +++ b/etc/conf.d/9.3.13_sshd_limit_access.cfg @@ -0,0 +1,9 @@ +# Configuration for script of same name +status=disabled + +# Put here ssh user hardening list, there is a default in script to not break your configuration +# However, it can erase current configuration +ALLOWED_USERS='' +ALLOWED_GROUPS='' +DENIED_USERS='' +DENIED_GROUPS='' diff --git a/etc/conf.d/9.3.14_ssh_banner.cfg b/etc/conf.d/9.3.14_ssh_banner.cfg new file mode 100644 index 0000000..91ec8ae --- /dev/null +++ b/etc/conf.d/9.3.14_ssh_banner.cfg @@ -0,0 +1,4 @@ +# Configuration for script of same name +status=disabled +# Put here banner file, default to /etc/issue.net +BANNER_FILE="" diff --git a/etc/conf.d/9.3.1_sshd_protocol.cfg b/etc/conf.d/9.3.1_sshd_protocol.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.3.1_sshd_protocol.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.3.2_sshd_loglevel.cfg b/etc/conf.d/9.3.2_sshd_loglevel.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.3.2_sshd_loglevel.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg b/etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.3.4_disable_x11_forwarding.cfg b/etc/conf.d/9.3.4_disable_x11_forwarding.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.3.4_disable_x11_forwarding.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.3.5_sshd_maxauthtries.cfg b/etc/conf.d/9.3.5_sshd_maxauthtries.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.3.5_sshd_maxauthtries.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg b/etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg b/etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.3.8_disable_root_login.cfg b/etc/conf.d/9.3.8_disable_root_login.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.3.8_disable_root_login.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg b/etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.4_secure_tty.cfg b/etc/conf.d/9.4_secure_tty.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.4_secure_tty.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/9.5_restrict_su.cfg b/etc/conf.d/9.5_restrict_su.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/9.5_restrict_su.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/99.1_timeout_tty.cfg b/etc/conf.d/99.1_timeout_tty.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/99.1_timeout_tty.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/99.2_disable_usb_devices.cfg b/etc/conf.d/99.2_disable_usb_devices.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/99.2_disable_usb_devices.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/hardening.cfg b/etc/hardening.cfg index 0d0c454..2697cd8 100644 --- a/etc/hardening.cfg +++ b/etc/hardening.cfg @@ -1,5 +1,9 @@ # CIS Debian 7 Hardening # Main Configuration File, put here global variables -# Valid values are debug info warning error +# Valid values are debug info ok warning error LOGLEVEL=debug + +# Backup directory, every file modified by hardening will be backuped here, with versionning +# Means that if a file is modified more than once during the process, you will have hardening step diffs in the folder +BACKUPDIR="$CIS_ROOT_DIR/tmp/backups" diff --git a/lib/common.sh b/lib/common.sh index 1a64f3d..f4dc0d6 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -1,6 +1,26 @@ # CIS Debian 7 Hardening common functions +# +# File Backup functions +# +backup_file() { + FILE=$1 + if [ ! -f $FILE ]; then + crit "Cannot backup $FILE, it's not a file" + FNRET=1 + else + TARGET=$(echo $FILE | sed -s 's/\//./g' | sed -s 's/^.//' | sed -s "s/$/.$(date +%F-%T)/" ) + TARGET="$BACKUPDIR/$TARGET" + debug "Backuping $FILE to $TARGET" + cp -a $FILE $TARGET + FNRET=0 + fi +} + + +# # Logging functions +# case $LOGLEVEL in error ) @@ -9,14 +29,17 @@ case $LOGLEVEL in warning ) MACHINE_LOG_LEVEL=2 ;; - info ) + ok ) MACHINE_LOG_LEVEL=3 ;; - debug ) + info ) MACHINE_LOG_LEVEL=4 ;; + debug ) + MACHINE_LOG_LEVEL=5 + ;; *) - MACHINE_LOG_LEVEL=3 ## Default loglevel value to info + MACHINE_LOG_LEVEL=4 ## Default loglevel value to info esac _logger() { @@ -33,18 +56,24 @@ cecho () { echo -e "${COLOR}$*${NC}" } -info () { - [ $MACHINE_LOG_LEVEL -ge 3 ] && _logger $BWHITE "[INFO] $*" +crit () { + [ $MACHINE_LOG_LEVEL -ge 1 ] && _logger $BRED "[ KO ] $*" + # This variable incrementation is used to measure failure or success in tests + CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER+1)) } warn () { [ $MACHINE_LOG_LEVEL -ge 2 ] && _logger $BYELLOW "[WARN] $*" } -crit () { - [ $MACHINE_LOG_LEVEL -ge 1 ] && _logger $BRED "[ KO ] $*" +ok () { + [ $MACHINE_LOG_LEVEL -ge 3 ] && _logger $BGREEN "[ OK ] $*" +} + +info () { + [ $MACHINE_LOG_LEVEL -ge 4 ] && _logger $BWHITE "[INFO] $*" } debug () { - [ $MACHINE_LOG_LEVEL -ge 4 ] && _logger $GRAY "[DBG ] $*" + [ $MACHINE_LOG_LEVEL -ge 5 ] && _logger $GRAY "[DBG ] $*" } diff --git a/lib/constants.sh b/lib/constants.sh index 682a71d..dc98747 100644 --- a/lib/constants.sh +++ b/lib/constants.sh @@ -1,23 +1,9 @@ # Defines constants for CIS Debian 7 Hardening -# +# Script and shell commands homogeneity +export LANG=C - - - - - - - - - - - - - - - -#### Useful Colot constants settings for loglevels +#### Useful Color constants settings for loglevels # Reset Color (for syslog) NC='\033[0m' diff --git a/lib/main.sh b/lib/main.sh index 69e554c..5c1497c 100644 --- a/lib/main.sh +++ b/lib/main.sh @@ -1,6 +1,7 @@ LONG_SCRIPT_NAME=$(basename $0) SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} # Variable initialization, to avoid crash +CRITICAL_ERRORS_NUMBER=0 # This will be used to see if a script failed, or passed status="" [ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh @@ -18,24 +19,56 @@ info "Working on $SCRIPT_NAME" if [ -z $status ]; then crit "Could not find status variable for $SCRIPT_NAME, considered as disabled" - exit 0 + exit 2 fi +# Arguments parsing +while [[ $# > 0 ]]; do + ARG="$1" + case $ARG in + --audit) + if [ $status != 'disabled' -a $status != 'false' ]; then + debug "Audit argument detected, setting status to audit" + status=audit + else + info "Audit argument passed but script is disabled" + fi + ;; + *) + debug "Unknown option passed" + ;; + esac + shift +done + case $status in - enabled | true ) + enabled | true ) + info "Checking Configuration" + check_config info "Performing audit" audit # Perform audit info "Applying Hardening" apply # Perform hardening ;; audit ) + info "Checking Configuration" + check_config info "Performing audit" audit # Perform audit ;; disabled | false ) info "$SCRIPT_NAME is disabled, ignoring" + exit 2 # Means unknown status ;; *) warn "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]" ;; esac + +if [ $CRITICAL_ERRORS_NUMBER = 0 ]; then + ok "Check Passed" + exit 0 # Means ok status +else + crit "Check Failed" + exit 1 # Means critical status +fi diff --git a/lib/utils.sh b/lib/utils.sh index de09676..e46a09f 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -1,18 +1,352 @@ # CIS Debian 7 Hardening Utility functions - - # -# Return if a package is installed -# @param $1 package name +# Sysctl # -is_installed() -{ - PKG_NAME=$1 - if `dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install '` ; then - return 0 + +has_sysctl_param_expected_result() { + local SYSCTL_PARAM=$1 + local EXP_RESULT=$2 + + if [ "$(sysctl $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then + FNRET=0 + elif [ $? = 255 ]; then + debug "$SYSCTL_PARAM does not exist" + FNRET=255 + else + debug "$SYSCTL_PARAM has not a value of $EXP_RESULT" + FNRET=1 + fi +} + +does_sysctl_param_exists() { + local SYSCTL_PARAM=$1 + if [ "$(sysctl -a 2>/dev/null |grep "$SYSCTL_PARAM" -c)" = 0 ]; then + FNRET=1 + else + FNRET=0 fi - return 1 } +set_sysctl_param() { + local SYSCTL_PARAM=$1 + local VALUE=$2 + debug "Setting $SYSCTL_PARAM to $VALUE" + if [ "$(sysctl -w $SYSCTL_PARAM=$VALUE 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then + FNRET=0 + elif [ $? = 255 ]; then + debug "$SYSCTL_PARAM does not exist" + FNRET=255 + else + warn "$SYSCTL_PARAM Failed !" + FNRET=1 + fi +} + +# +# Dmesg +# + +does_pattern_exists_in_dmesg() { + local PATTERN=$1 + if $(dmesg | grep -qE "$PATTERN"); then + FNRET=0 + else + FNRET=1 + fi +} + +# +# File +# + +does_file_exist() { + local FILE=$1 + if [ -e $FILE ]; then + FNRET=0 + else + FNRET=1 + fi +} + +has_file_correct_ownership() { + local FILE=$1 + local USER=$2 + local GROUP=$3 + local USERID=$(id -u $USER) + local GROUPID=$(getent group $GROUP | cut -d: -f3) + debug "stat -c '%u %g' $FILE" + if [ "$(stat -c "%u %g" $FILE)" = "$USERID $GROUPID" ]; then + FNRET=0 + else + FNRET=1 + fi +} + +has_file_correct_permissions() { + local FILE=$1 + local PERMISSIONS=$2 + + if [ $(stat -L -c "%a" $1) = "$PERMISSIONS" ]; then + FNRET=0 + else + FNRET=1 + fi +} + +does_pattern_exists_in_file() { + local FILE=$1 + local PATTERN=$2 + + debug "Checking if $PATTERN is present in $FILE" + debug "grep -qE -- '$PATTERN' $FILE" + if $(grep -qE -- "$PATTERN" $FILE); then + FNRET=0 + else + FNRET=1 + fi + +} + +add_end_of_file() { + local FILE=$1 + local LINE=$2 + + debug "Adding $LINE at the end of $FILE" + backup_file "$FILE" + echo "$LINE" >> $FILE +} + +add_line_file_before_pattern() { + local FILE=$1 + local LINE=$2 + local PATTERN=$3 + + backup_file "$FILE" + debug "Inserting $LINE before $PATTERN in $FILE" + PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN) + debug "sed -i '/$PATTERN/i $LINE' $FILE" + sed -i "/$PATTERN/i $LINE" $FILE + FNRET=0 +} + +replace_in_file() { + local FILE=$1 + local SOURCE=$2 + local DESTINATION=$3 + + backup_file "$FILE" + debug "Replacing $SOURCE to $DESTINATION in $FILE" + SOURCE=$(sed 's@/@\\\/@g' <<< $PATTERN) + debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE" + sed -i "s/$SOURCE/$DESTINATION/g" $FILE + FNRET=0 +} + +delete_line_in_file() { + local FILE=$1 + local PATTERN=$2 + + backup_file "$FILE" + debug "Deleting lines from $FILE containing $PATTERN" + PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN) + debug "sed -i '/$PATTERN/d' $FILE" + sed -i "/$PATTERN/d" $FILE + FNRET=0 +} + +# +# Users and groups +# + +does_user_exist() { + local USER=$1 + if $(getent passwd $USER >/dev/null 2>&1); then + FNRET=0 + else + FNRET=1 + fi +} + +does_group_exist() { + local GROUP=$1 + if $(getent group $GROUP >/dev/null 2>&1); then + FNRET=0 + else + FNRET=1 + fi +} + +# +# Service Boot Checks +# + +is_service_enabled() { + local SERVICE=$1 + if [ $(find /etc/rc?.d/ -name "S*$SERVICE" -print | wc -l) -gt 0 ]; then + debug "Service $SERVICE is enabled" + FNRET=0 + else + debug "Service $SERVICE is disabled" + FNRET=1 + fi +} + + +# +# Kernel Options checks +# + +is_kernel_option_enabled() { + local KERNEL_OPTION=$1 + RESULT=$(zgrep -i $KERNEL_OPTION /proc/config.gz | grep -vE "^#") || : + ANSWER=$(cut -d = -f 2 <<< $RESULT) + if [ "x$ANSWER" = "xy" ]; then + debug "Kernel option $KERNEL_OPTION enabled" + FNRET=0 + elif [ "x$ANSWER" = "xn" ]; then + debug "Kernel option $KERNEL_OPTION disabled" + FNRET=1 + else + debug "Kernel option $KERNEL_OPTION not found" + FNRET=2 # Not found + fi +} + +# +# Mounting point +# + +# Verify $1 is a partition declared in fstab +is_a_partition() { + + local PARTITION_NAME=$1 + FNRET=128 + if $(grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"); then + debug "$PARTITION found in fstab" + FNRET=0 + else + debug "Unable to find $PARTITION in fstab" + FNRET=1 + fi +} + +# Verify that $1 is mounted at runtime +is_mounted() { + local PARTITION_NAME=$1 + if $(grep -q "[[:space:]]$1[[:space:]]" /proc/mounts); then + debug "$PARTITION found in /proc/mounts, it's mounted" + FNRET=0 + else + debug "Unable to find $PARTITION in /proc/mounts" + FNRET=1 + fi +} + +# Verify $1 has the proper option $2 in fstab +has_mount_option() { + local PARTITION=$1 + local OPTION=$2 + if $(grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $4'} | grep -q "$2"); then + debug "$OPTION has been detected in fstab for partition $PARTITION" + FNRET=0 + else + debug "Unable to find $OPTION in fstab for partition $PARTITION" + FNRET=1 + fi +} + +# Verify $1 has the proper option $2 at runtime +has_mounted_option() { + local PARTITION=$1 + local OPTION=$2 + if $(grep "[[:space:]]$1[[:space:]]" /proc/mounts | awk {'print $4'} | grep -q "$2"); then + debug "$OPTION has been detected in /proc/mounts for partition $PARTITION" + FNRET=0 + else + debug "Unable to find $OPTION in /proc/mounts for partition $PARTITION" + FNRET=1 + fi +} + +# Setup mount option in fstab +add_option_to_fstab() { + local PARTITION=$1 + local OPTION=$2 + debug "Setting $OPTION for $PARTITION in fstab" + backup_file "/etc/fstab" + # For example : + # /dev/sda9 /home ext4 auto,acl,errors=remount-ro 0 2 + # /dev/sda9 /home ext4 auto,acl,errors=remount-ro,nodev 0 2 + debug "Sed command : sed -ie \"s;\(.*\)\(\s*\)\s\($PARTITION\)\s\(\s*\)\(\w*\)\(\s*\)\(\w*\)*;\1\2 \3 \4\5\6\7,$OPTION;\" /etc/fstab" + sed -ie "s;\(.*\)\(\s*\)\s\($PARTITION\)\s\(\s*\)\(\w*\)\(\s*\)\(\w*\)*;\1\2 \3 \4\5\6\7,$OPTION;" /etc/fstab +} + +remount_partition() { + local PARTITION=$1 + debug "Remounting $PARTITION" + mount -o remount $PARTITION +} + +# +# APT +# + +apt_update_if_needed() +{ + if [ -e /var/cache/apt/pkgcache.bin ] + then + UPDATE_AGE=$(( $(date +%s) - $(stat -c '%Y' /var/cache/apt/pkgcache.bin) )) + + if [ $UPDATE_AGE -gt 21600 ] + then + # update too old, refresh database + apt-get update -y >/dev/null 2>/dev/null + fi + else + apt-get update -y >/dev/null 2>/dev/null + fi +} + +apt_check_updates() +{ + local NAME="$1" + local DETAILS="/dev/shm/${NAME}" + apt-get upgrade -s 2>/dev/null | grep -E "^Inst" > $DETAILS || : + local COUNT=$(wc -l < "$DETAILS") + FNRET=128 # Unknown function return result + RESULT="" # Result output for upgrade + if [ $COUNT -gt 0 ]; then + RESULT="There is $COUNT updates available :\n$(cat $DETAILS)" + FNRET=1 + else + RESULT="OK, no updates available" + FNRET=0 + fi + rm $DETAILS +} + +apt_install() +{ + local PACKAGE=$1 + DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install $PACKAGE -y + FNRET=0 +} + + +# +# Returns if a package is installed +# + +is_pkg_installed() +{ + PKG_NAME=$1 + if $(dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install ') ; then + debug "$PKG_NAME is installed" + FNRET=0 + else + debug "$PKG_NAME is not installed" + FNRET=1 + fi +} diff --git a/tmp/backups/.gitignore b/tmp/backups/.gitignore new file mode 100644 index 0000000..6b1ce3f --- /dev/null +++ b/tmp/backups/.gitignore @@ -0,0 +1,2 @@ +# Ignore everything, this is a place holder for the git +*