mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 05:27:01 +01:00
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh
This commit is contained in:
parent
0407ebe362
commit
823cd217a0
@ -6,7 +6,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored)
|
# 9.1.7 Set User/Group Owner and Permission on /etc/cron.d (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
|
70
bin/hardening/9.2.1_enable_cracklib.sh
Executable file
70
bin/hardening/9.2.1_enable_cracklib.sh
Executable file
@ -0,0 +1,70 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='libpam-cracklib'
|
||||||
|
PATTERN='^password.*pam_cracklib.so'
|
||||||
|
FILE='/etc/pam.d/common-password'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
does_pattern_exists_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
does_pattern_exists_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
70
bin/hardening/9.2.2_enable_lockout_failed_password.sh
Executable file
70
bin/hardening/9.2.2_enable_lockout_failed_password.sh
Executable file
@ -0,0 +1,70 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.2.2 Set Lockout for Failed Password Attempts (Not Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='libpam-modules-bin'
|
||||||
|
PATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?.so'
|
||||||
|
FILE='/etc/pam.d/login'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
does_pattern_exists_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
does_pattern_exists_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
add_line_file_before_pattern $FILE "auth required pam_tally.so onerr=fail deny=6 unlock_time=1800" "# Uncomment and edit \/etc\/security\/time.conf if you need to set"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
70
bin/hardening/9.2.3_limit_password_reuse.sh
Executable file
70
bin/hardening/9.2.3_limit_password_reuse.sh
Executable file
@ -0,0 +1,70 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.2.3 Limit Password Reuse (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='libpam-modules'
|
||||||
|
PATTERN='^password.*remember'
|
||||||
|
FILE='/etc/pam.d/common-password'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
does_pattern_exists_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
does_pattern_exists_in_file $FILE $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN is not present in $FILE"
|
||||||
|
add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
87
bin/hardening/9.3.10_disable_sshd_setenv.sh
Executable file
87
bin/hardening/9.3.10_disable_sshd_setenv.sh
Executable file
@ -0,0 +1,87 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.3.10 Do Not Allow Users to Set Environment Options (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='openssh-server'
|
||||||
|
OPTIONS='PermitUserEnvironment=no'
|
||||||
|
FILE='/etc/ssh/sshd_config'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN not present in $FILE, adding it"
|
||||||
|
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
|
||||||
|
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||||
|
fi
|
||||||
|
/etc/init.d/ssh reload
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
87
bin/hardening/9.3.11_sshd_ciphers.sh
Executable file
87
bin/hardening/9.3.11_sshd_ciphers.sh
Executable file
@ -0,0 +1,87 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.3.11 Use Only Approved Cipher in Counter Mode (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='openssh-server'
|
||||||
|
OPTIONS='Ciphers=aes128-ctr,aes192-ctr,aes256-ctr'
|
||||||
|
FILE='/etc/ssh/sshd_config'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN not present in $FILE, adding it"
|
||||||
|
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
|
||||||
|
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||||
|
fi
|
||||||
|
/etc/init.d/ssh reload
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
90
bin/hardening/9.3.12_sshd_idle_timeout.sh
Executable file
90
bin/hardening/9.3.12_sshd_idle_timeout.sh
Executable file
@ -0,0 +1,90 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.3.12 Set Idle Timeout Interval for User Login (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='openssh-server'
|
||||||
|
FILE='/etc/ssh/sshd_config'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
OPTIONS="ClientAliveInterval=$SSHD_TIMEOUT ClientAliveCountMax=0"
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN not present in $FILE, adding it"
|
||||||
|
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
|
||||||
|
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||||
|
fi
|
||||||
|
/etc/init.d/ssh reload
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
if [ -z $SSHD_TIMEOUT ]; then
|
||||||
|
crit "SSHD_TIMEOUT is not set, please edit configuration file"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
104
bin/hardening/9.3.13_sshd_limit_access.sh
Executable file
104
bin/hardening/9.3.13_sshd_limit_access.sh
Executable file
@ -0,0 +1,104 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.3.13 Limit Access via SSH (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='openssh-server'
|
||||||
|
FILE='/etc/ssh/sshd_config'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'"
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN not present in $FILE, adding it"
|
||||||
|
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
|
||||||
|
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||||
|
fi
|
||||||
|
/etc/init.d/ssh reload
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
if [ -z $ALLOWED_USERS ]; then
|
||||||
|
info "ALLOWED_USERS is not set, defaults to wildcard"
|
||||||
|
ALLOWED_USERS="*"
|
||||||
|
fi
|
||||||
|
if [ -z $ALLOWED_GROUPS ]; then
|
||||||
|
info "ALLOWED_GROUPS is not set, defaults to wildcard"
|
||||||
|
ALLOWED_GROUPS="*"
|
||||||
|
fi
|
||||||
|
if [ -z $DENIED_USERS ]; then
|
||||||
|
info "DENIED_USERS is not set, defaults to nobody"
|
||||||
|
DENIED_USERS="nobody"
|
||||||
|
fi
|
||||||
|
if [ -z $DENIED_GROUPS ]; then
|
||||||
|
info "DENIED_GROUPS is not set, defaults to nobody"
|
||||||
|
DENIED_GROUPS="nobody"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
88
bin/hardening/9.3.14_ssh_banner.sh
Executable file
88
bin/hardening/9.3.14_ssh_banner.sh
Executable file
@ -0,0 +1,88 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.3.14 Set SSH Banner (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='openssh-server'
|
||||||
|
FILE='/etc/ssh/sshd_config'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
OPTIONS="Banner=$BANNER_FILE"
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN not present in $FILE, adding it"
|
||||||
|
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present and activated"
|
||||||
|
fi
|
||||||
|
/etc/init.d/ssh reload
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
if [ -z $BANNER_FILE ]; then
|
||||||
|
info "BANNER_FILE is not set, defaults to wildcard"
|
||||||
|
BANNER_FILE='/etc/issue.net'
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
87
bin/hardening/9.3.1_sshd_protocol.sh
Executable file
87
bin/hardening/9.3.1_sshd_protocol.sh
Executable file
@ -0,0 +1,87 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.3.1 Set SSH Protocol to 2 (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='openssh-server'
|
||||||
|
OPTIONS='Protocol=2'
|
||||||
|
FILE='/etc/ssh/sshd_config'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN not present in $FILE, adding it"
|
||||||
|
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
|
||||||
|
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||||
|
fi
|
||||||
|
/etc/init.d/ssh reload > /dev/null 2>&1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
87
bin/hardening/9.3.2_sshd_loglevel.sh
Executable file
87
bin/hardening/9.3.2_sshd_loglevel.sh
Executable file
@ -0,0 +1,87 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.3.2 Set LogLevel to INFO (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='openssh-server'
|
||||||
|
OPTIONS='LogLevel=INFO'
|
||||||
|
FILE='/etc/ssh/sshd_config'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN not present in $FILE, adding it"
|
||||||
|
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
|
||||||
|
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||||
|
fi
|
||||||
|
/etc/init.d/ssh reload > /dev/null 2>&1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
85
bin/hardening/9.3.3_sshd_conf_perm_ownership.sh
Executable file
85
bin/hardening/9.3.3_sshd_conf_perm_ownership.sh
Executable file
@ -0,0 +1,85 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.3.3 Set Permissions on /etc/ssh/sshd_config (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
FILE='/etc/ssh/sshd_config'
|
||||||
|
PERMISSIONS='600'
|
||||||
|
USER='root'
|
||||||
|
GROUP='root'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
crit "$FILE is not $USER:$GROUP ownership set"
|
||||||
|
fi
|
||||||
|
has_file_correct_permissions $FILE $PERMISSIONS
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct permissions"
|
||||||
|
else
|
||||||
|
crit "$FILE has not $PERMISSIONS permissions set"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
does_file_exist $FILE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
info "$FILE does not exist"
|
||||||
|
touch $FILE
|
||||||
|
fi
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
warn "$FILE is not $USER:$GROUP ownership set"
|
||||||
|
chown $USER:$GROUP $FILE
|
||||||
|
fi
|
||||||
|
has_file_correct_permissions $FILE $PERMISSIONS
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct permissions"
|
||||||
|
else
|
||||||
|
info "fixing $FILE permissions to $PERMISSIONS"
|
||||||
|
chmod 0$PERMISSIONS $FILE
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
does_user_exist $USER
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$USER does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
does_group_exist $GROUP
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$GROUP does not exist"
|
||||||
|
exit 128
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
87
bin/hardening/9.3.4_disable_x11_forwarding.sh
Executable file
87
bin/hardening/9.3.4_disable_x11_forwarding.sh
Executable file
@ -0,0 +1,87 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.3.4 Disable SSH X11 Forwarding (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='openssh-server'
|
||||||
|
OPTIONS='X11Forwarding=no'
|
||||||
|
FILE='/etc/ssh/sshd_config'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN not present in $FILE, adding it"
|
||||||
|
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
|
||||||
|
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||||
|
fi
|
||||||
|
/etc/init.d/ssh reload > /dev/null 2>&1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
87
bin/hardening/9.3.5_sshd_maxauthtries.sh
Executable file
87
bin/hardening/9.3.5_sshd_maxauthtries.sh
Executable file
@ -0,0 +1,87 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.3.5 Set SSH MaxAuthTries to 4 or Less (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='openssh-server'
|
||||||
|
OPTIONS='MaxAuthTries=4'
|
||||||
|
FILE='/etc/ssh/sshd_config'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN not present in $FILE, adding it"
|
||||||
|
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
|
||||||
|
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||||
|
fi
|
||||||
|
/etc/init.d/ssh reload
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
87
bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh
Executable file
87
bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh
Executable file
@ -0,0 +1,87 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.3.6 Set SSH IgnoreRhosts to Yes (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='openssh-server'
|
||||||
|
OPTIONS='IgnoreRhosts=yes'
|
||||||
|
FILE='/etc/ssh/sshd_config'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN not present in $FILE, adding it"
|
||||||
|
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
|
||||||
|
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||||
|
fi
|
||||||
|
/etc/init.d/ssh reload
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
87
bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh
Executable file
87
bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh
Executable file
@ -0,0 +1,87 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.3.7 Set SSH HostbasedAuthentication to No (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='openssh-server'
|
||||||
|
OPTIONS='HostbasedAuthentication=no'
|
||||||
|
FILE='/etc/ssh/sshd_config'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN not present in $FILE, adding it"
|
||||||
|
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
|
||||||
|
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||||
|
fi
|
||||||
|
/etc/init.d/ssh reload
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
87
bin/hardening/9.3.8_disable_root_login.sh
Executable file
87
bin/hardening/9.3.8_disable_root_login.sh
Executable file
@ -0,0 +1,87 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.3.8 Disable SSH Root Login (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='openssh-server'
|
||||||
|
OPTIONS='PermitRootLogin=no'
|
||||||
|
FILE='/etc/ssh/sshd_config'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN not present in $FILE, adding it"
|
||||||
|
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
|
||||||
|
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||||
|
fi
|
||||||
|
/etc/init.d/ssh reload
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
87
bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh
Executable file
87
bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh
Executable file
@ -0,0 +1,87 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 9.3.9 Set SSH PermitEmptyPasswords to No (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
PACKAGE='openssh-server'
|
||||||
|
OPTIONS='PermitRootLogin=no'
|
||||||
|
FILE='/etc/ssh/sshd_config'
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
crit "$PACKAGE is not installed !"
|
||||||
|
else
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
crit "$PATTERN is not present in $FILE"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
is_pkg_installed $PACKAGE
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PACKAGE is installed"
|
||||||
|
else
|
||||||
|
crit "$PACKAGE is absent, installing it"
|
||||||
|
apt_install $PACKAGE
|
||||||
|
fi
|
||||||
|
for SSH_OPTION in $OPTIONS; do
|
||||||
|
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
|
||||||
|
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
|
||||||
|
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
|
||||||
|
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE"
|
||||||
|
else
|
||||||
|
warn "$PATTERN not present in $FILE, adding it"
|
||||||
|
does_pattern_exists_in_file $FILE "^$SSH_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present but with the wrong value, correcting"
|
||||||
|
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
||||||
|
fi
|
||||||
|
/etc/init.d/ssh reload
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
2
etc/conf.d/9.2.1_enable_cracklib.cfg
Normal file
2
etc/conf.d/9.2.1_enable_cracklib.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/9.2.2_enable_lockout_failed_password.cfg
Normal file
2
etc/conf.d/9.2.2_enable_lockout_failed_password.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/9.2.3_limit_password_reuse.cfg
Normal file
2
etc/conf.d/9.2.3_limit_password_reuse.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/9.3.10_disable_sshd_setenv.cfg
Normal file
2
etc/conf.d/9.3.10_disable_sshd_setenv.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/9.3.11_sshd_ciphers.cfg
Normal file
2
etc/conf.d/9.3.11_sshd_ciphers.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
5
etc/conf.d/9.3.12_sshd_idle_timeout.cfg
Normal file
5
etc/conf.d/9.3.12_sshd_idle_timeout.cfg
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
||||||
|
# In seconds, value of ClientAliveInterval, ClientAliveCountMax bedoing set to 0
|
||||||
|
# Settles sshd idle timeout
|
||||||
|
SSHD_TIMEOUT=900
|
9
etc/conf.d/9.3.13_sshd_limit_access.cfg
Normal file
9
etc/conf.d/9.3.13_sshd_limit_access.cfg
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
||||||
|
|
||||||
|
# Put here ssh user hardening list, there is a default in script to not break your configuration
|
||||||
|
# However, it can erase current configuration
|
||||||
|
ALLOWED_USERS=''
|
||||||
|
ALLOWED_GROUPS=''
|
||||||
|
DENIED_USERS=''
|
||||||
|
DENIED_GROUPS=''
|
4
etc/conf.d/9.3.14_ssh_banner.cfg
Normal file
4
etc/conf.d/9.3.14_ssh_banner.cfg
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
||||||
|
# Put here banner file, default to /etc/issue.net
|
||||||
|
BANNER_FILE=""
|
2
etc/conf.d/9.3.1_sshd_protocol.cfg
Normal file
2
etc/conf.d/9.3.1_sshd_protocol.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/9.3.2_sshd_loglevel.cfg
Normal file
2
etc/conf.d/9.3.2_sshd_loglevel.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg
Normal file
2
etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/9.3.4_disable_x11_forwarding.cfg
Normal file
2
etc/conf.d/9.3.4_disable_x11_forwarding.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/9.3.5_sshd_maxauthtries.cfg
Normal file
2
etc/conf.d/9.3.5_sshd_maxauthtries.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg
Normal file
2
etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/9.3.8_disable_root_login.cfg
Normal file
2
etc/conf.d/9.3.8_disable_root_login.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg
Normal file
2
etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
@ -114,8 +114,8 @@ add_end_of_file() {
|
|||||||
local LINE=$2
|
local LINE=$2
|
||||||
|
|
||||||
debug "Adding $LINE at the end of $FILE"
|
debug "Adding $LINE at the end of $FILE"
|
||||||
backup_file "$1"
|
backup_file "$FILE"
|
||||||
echo "$2" >> $FILE
|
echo "$LINE" >> $FILE
|
||||||
}
|
}
|
||||||
|
|
||||||
add_line_file_before_pattern() {
|
add_line_file_before_pattern() {
|
||||||
|
Loading…
Reference in New Issue
Block a user