10.5_lock_inactive_user_account.sh 11.1_warning_banners.sh 11.2_remove_os_info_warning_banners.sh 11.3_graphical_warning_banners.sh

2024-11-21 21:17:00 +01:00 · 2016-04-15 23:38:48 +02:00 · 2016-04-15 23:38:48 +02:00 · 82a7b05a05
commit 82a7b05a05
parent 6c72eb0a8b
11 changed files with 254 additions and 4 deletions
--- a/bin/hardening/10.4_default_umask.sh
+++ b/bin/hardening/10.4_default_umask.sh
@ -13,7 +13,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over

 USER='root'
-PATTERN='umask 077'
+PATTERN='umask 644'
 FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/*'
 FILE='/etc/profile.d/CIS_10.4_umask.sh'

--- a/bin/hardening/10.5_lock_inactive_user_account.sh
+++ b/bin/hardening/10.5_lock_inactive_user_account.sh
@ -0,0 +1,46 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 10.4 Set Default umask for Users (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
+    info "The number of days after a password expires until the account is permanently disabled."
+    info "Which is not inactive users per se"
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
+    info "The number of days after a password expires until the account is permanently disabled."
+    info "Which is not inactive users per se"
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
--- a/bin/hardening/11.1_warning_banners.sh
+++ b/bin/hardening/11.1_warning_banners.sh
@ -0,0 +1,80 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 11.1 Set Warning Banner for Standard Login Services (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+PERMISSIONS='644'
+USER='root'
+GROUP='root'
+FILES='/etc/motd /etc/issue /etc/issue.net'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    for FILE in $FILES; do
+        has_file_correct_ownership $FILE $USER $GROUP
+        if [ $FNRET = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE is not $USER:$GROUP ownership set"
+        fi
+        has_file_correct_permissions $FILE $PERMISSIONS
+        if [ $FNRET = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE has not $PERMISSIONS permissions set"
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    for FILE in $FILES; do
+        does_file_exist $FILE
+        if [ $FNRET != 0 ]; then
+            info "$FILE does not exist"
+            touch $FILE
+        fi
+        has_file_correct_ownership $FILE $USER $GROUP
+        if [ $FNRET = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "$FILE is not $USER:$GROUP ownership set"
+            chown $USER:$GROUP $FILE
+        fi
+        has_file_correct_permissions $FILE $PERMISSIONS
+        if [ $FNRET = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0$PERMISSIONS $FILE
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
--- a/bin/hardening/11.2_remove_os_info_warning_banners.sh
+++ b/bin/hardening/11.2_remove_os_info_warning_banners.sh
@ -0,0 +1,60 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 11.2 Remove OS Information from Login Warning Banners (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+FILES='/etc/motd /etc/issue /etc/issue.net'
+PATTERN='(\\v|\\r|\\m|\\s)'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    for FILE in $FILES; do
+        does_pattern_exists_in_file $FILE "$PATTERN"
+        if [ $FNRET = 0 ]; then
+            crit "$PATTERN is present in $FILE"
+        else
+            ok "$PATTERN is not present in $FILE"
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    for FILE in $FILES; do
+        does_pattern_exists_in_file $FILE "$PATTERN"
+        if [ $FNRET = 0 ]; then
+            warn "$PATTERN is present in $FILE"
+            delete_line_in_file $FILE $PATTERN
+        else
+            ok "$PATTERN is not present in $FILE"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
--- a/bin/hardening/11.3_graphical_warning_banners.sh
+++ b/bin/hardening/11.3_graphical_warning_banners.sh
@ -0,0 +1,42 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 11.3 Set Graphical Warning Banner (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    info "Not implemented yet"
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    info "Not implemented yet"
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
--- a/bin/hardening/9.5_restrict_su.sh
+++ b/bin/hardening/9.5_restrict_su.sh
@ -6,7 +6,7 @@
 #

 #
-# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
+# 9.5 Restrict Access to the su Command (Scored)
 #

 set -e # One error, it's over
--- a/etc/conf.d/10.5_lock_inactive_user_account.cfg
+++ b/etc/conf.d/10.5_lock_inactive_user_account.cfg
@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
--- a/etc/conf.d/11.1_warning_banners.cfg
+++ b/etc/conf.d/11.1_warning_banners.cfg
@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
--- a/etc/conf.d/11.2_remove_os_info_warning_banners.cfg
+++ b/etc/conf.d/11.2_remove_os_info_warning_banners.cfg
@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
--- a/etc/conf.d/11.3_graphical_warning_banners.cfg
+++ b/etc/conf.d/11.3_graphical_warning_banners.cfg
@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -123,8 +123,9 @@ add_line_file_before_pattern() {
    local LINE=$2
    local PATTERN=$3

-    backup_file "$1"
+    backup_file "$FILE"
    debug "Inserting $LINE before $PATTERN in $FILE"
+    PATTERN=$(sed 's@/@\/@g' <<< $PATTERN)
    debug "sed -i '/$PATTERN/i $LINE' $FILE"
    sed -i "/$PATTERN/i $LINE" $FILE
    FNRET=0
@ -135,13 +136,26 @@ replace_in_file() {
    local SOURCE=$2
    local DESTINATION=$3

-    backup_file "$1"
+    backup_file "$FILE"
    debug "Replacing $SOURCE to $DESTINATION in $FILE"
+    SOURCE=$(sed 's@/@\/@g' <<< $SOURCE)
    debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
    sed -i "s/$SOURCE/$DESTINATION/g" $FILE
    FNRET=0
 }

+delete_line_in_file() {
+    local FILE=$1
+    local PATTERN=$2
+
+    backup_file "$FILE"
+    debug "Deleting lines from $FILE containing $PATTERN"
+    PATTERN=$(sed 's@/@\/@g' <<< $PATTERN)
+    debug "sed -i '/$PATTERN/d' $FILE"
+    sed -i "/$PATTERN/d" $FILE
+    FNRET=0
+}
+
 #
 # Users and groups
 #