mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-22 14:05:23 +01:00
10.5_lock_inactive_user_account.sh 11.1_warning_banners.sh 11.2_remove_os_info_warning_banners.sh 11.3_graphical_warning_banners.sh
This commit is contained in:
parent
6c72eb0a8b
commit
82a7b05a05
@ -13,7 +13,7 @@ set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
USER='root'
|
||||
PATTERN='umask 077'
|
||||
PATTERN='umask 644'
|
||||
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/*'
|
||||
FILE='/etc/profile.d/CIS_10.4_umask.sh'
|
||||
|
||||
|
46
bin/hardening/10.5_lock_inactive_user_account.sh
Executable file
46
bin/hardening/10.5_lock_inactive_user_account.sh
Executable file
@ -0,0 +1,46 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 10.4 Set Default umask for Users (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
|
||||
info "The number of days after a password expires until the account is permanently disabled."
|
||||
info "Which is not inactive users per se"
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
|
||||
info "The number of days after a password expires until the account is permanently disabled."
|
||||
info "Which is not inactive users per se"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
80
bin/hardening/11.1_warning_banners.sh
Executable file
80
bin/hardening/11.1_warning_banners.sh
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 11.1 Set Warning Banner for Standard Login Services (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PERMISSIONS='644'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
FILES='/etc/motd /etc/issue /etc/issue.net'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for FILE in $FILES; do
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE is not $USER:$GROUP ownership set"
|
||||
fi
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE has not $PERMISSIONS permissions set"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for FILE in $FILES; do
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
info "$FILE does not exist"
|
||||
touch $FILE
|
||||
fi
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
warn "$FILE is not $USER:$GROUP ownership set"
|
||||
chown $USER:$GROUP $FILE
|
||||
fi
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
60
bin/hardening/11.2_remove_os_info_warning_banners.sh
Executable file
60
bin/hardening/11.2_remove_os_info_warning_banners.sh
Executable file
@ -0,0 +1,60 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 11.2 Remove OS Information from Login Warning Banners (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILES='/etc/motd /etc/issue /etc/issue.net'
|
||||
PATTERN='(\\v|\\r|\\m|\\s)'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
for FILE in $FILES; do
|
||||
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
crit "$PATTERN is present in $FILE"
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for FILE in $FILES; do
|
||||
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
warn "$PATTERN is present in $FILE"
|
||||
delete_line_in_file $FILE $PATTERN
|
||||
else
|
||||
ok "$PATTERN is not present in $FILE"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
42
bin/hardening/11.3_graphical_warning_banners.sh
Executable file
42
bin/hardening/11.3_graphical_warning_banners.sh
Executable file
@ -0,0 +1,42 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 11.3 Set Graphical Warning Banner (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
@ -6,7 +6,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
|
||||
# 9.5 Restrict Access to the su Command (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
|
2
etc/conf.d/10.5_lock_inactive_user_account.cfg
Normal file
2
etc/conf.d/10.5_lock_inactive_user_account.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/11.1_warning_banners.cfg
Normal file
2
etc/conf.d/11.1_warning_banners.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/11.2_remove_os_info_warning_banners.cfg
Normal file
2
etc/conf.d/11.2_remove_os_info_warning_banners.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/11.3_graphical_warning_banners.cfg
Normal file
2
etc/conf.d/11.3_graphical_warning_banners.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
18
lib/utils.sh
18
lib/utils.sh
@ -123,8 +123,9 @@ add_line_file_before_pattern() {
|
||||
local LINE=$2
|
||||
local PATTERN=$3
|
||||
|
||||
backup_file "$1"
|
||||
backup_file "$FILE"
|
||||
debug "Inserting $LINE before $PATTERN in $FILE"
|
||||
PATTERN=$(sed 's@/@\/@g' <<< $PATTERN)
|
||||
debug "sed -i '/$PATTERN/i $LINE' $FILE"
|
||||
sed -i "/$PATTERN/i $LINE" $FILE
|
||||
FNRET=0
|
||||
@ -135,13 +136,26 @@ replace_in_file() {
|
||||
local SOURCE=$2
|
||||
local DESTINATION=$3
|
||||
|
||||
backup_file "$1"
|
||||
backup_file "$FILE"
|
||||
debug "Replacing $SOURCE to $DESTINATION in $FILE"
|
||||
SOURCE=$(sed 's@/@\/@g' <<< $SOURCE)
|
||||
debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
|
||||
sed -i "s/$SOURCE/$DESTINATION/g" $FILE
|
||||
FNRET=0
|
||||
}
|
||||
|
||||
delete_line_in_file() {
|
||||
local FILE=$1
|
||||
local PATTERN=$2
|
||||
|
||||
backup_file "$FILE"
|
||||
debug "Deleting lines from $FILE containing $PATTERN"
|
||||
PATTERN=$(sed 's@/@\/@g' <<< $PATTERN)
|
||||
debug "sed -i '/$PATTERN/d' $FILE"
|
||||
sed -i "/$PATTERN/d" $FILE
|
||||
FNRET=0
|
||||
}
|
||||
|
||||
#
|
||||
# Users and groups
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user