From 82a7b05a0585c4ba033768c8b6f5133079d49e60 Mon Sep 17 00:00:00 2001
From: "thibault.dewailly" <thibault.dewailly@ovh.net>
Date: Fri, 15 Apr 2016 23:38:48 +0200
Subject: [PATCH] 10.5_lock_inactive_user_account.sh 11.1_warning_banners.sh
 11.2_remove_os_info_warning_banners.sh 11.3_graphical_warning_banners.sh

---
 bin/hardening/10.4_default_umask.sh           |  2 +-
 .../10.5_lock_inactive_user_account.sh        | 46 +++++++++++
 bin/hardening/11.1_warning_banners.sh         | 80 +++++++++++++++++++
 .../11.2_remove_os_info_warning_banners.sh    | 60 ++++++++++++++
 .../11.3_graphical_warning_banners.sh         | 42 ++++++++++
 bin/hardening/9.5_restrict_su.sh              |  2 +-
 .../10.5_lock_inactive_user_account.cfg       |  2 +
 etc/conf.d/11.1_warning_banners.cfg           |  2 +
 .../11.2_remove_os_info_warning_banners.cfg   |  2 +
 etc/conf.d/11.3_graphical_warning_banners.cfg |  2 +
 lib/utils.sh                                  | 18 ++++-
 11 files changed, 254 insertions(+), 4 deletions(-)
 create mode 100755 bin/hardening/10.5_lock_inactive_user_account.sh
 create mode 100755 bin/hardening/11.1_warning_banners.sh
 create mode 100755 bin/hardening/11.2_remove_os_info_warning_banners.sh
 create mode 100755 bin/hardening/11.3_graphical_warning_banners.sh
 create mode 100644 etc/conf.d/10.5_lock_inactive_user_account.cfg
 create mode 100644 etc/conf.d/11.1_warning_banners.cfg
 create mode 100644 etc/conf.d/11.2_remove_os_info_warning_banners.cfg
 create mode 100644 etc/conf.d/11.3_graphical_warning_banners.cfg

diff --git a/bin/hardening/10.4_default_umask.sh b/bin/hardening/10.4_default_umask.sh
index 577a62e..5e09853 100755
--- a/bin/hardening/10.4_default_umask.sh
+++ b/bin/hardening/10.4_default_umask.sh
@@ -13,7 +13,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 USER='root'
-PATTERN='umask 077'
+PATTERN='umask 644'
 FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/*'
 FILE='/etc/profile.d/CIS_10.4_umask.sh'
 
diff --git a/bin/hardening/10.5_lock_inactive_user_account.sh b/bin/hardening/10.5_lock_inactive_user_account.sh
new file mode 100755
index 0000000..6d82eff
--- /dev/null
+++ b/bin/hardening/10.5_lock_inactive_user_account.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 10.4 Set Default umask for Users (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
+    info "The number of days after a password expires until the account is permanently disabled."
+    info "Which is not inactive users per se"
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"
+    info "The number of days after a password expires until the account is permanently disabled."
+    info "Which is not inactive users per se"
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
diff --git a/bin/hardening/11.1_warning_banners.sh b/bin/hardening/11.1_warning_banners.sh
new file mode 100755
index 0000000..b4620ce
--- /dev/null
+++ b/bin/hardening/11.1_warning_banners.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 11.1 Set Warning Banner for Standard Login Services (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+PERMISSIONS='644'
+USER='root'
+GROUP='root'
+FILES='/etc/motd /etc/issue /etc/issue.net'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    for FILE in $FILES; do
+        has_file_correct_ownership $FILE $USER $GROUP
+        if [ $FNRET = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            crit "$FILE is not $USER:$GROUP ownership set"
+        fi
+        has_file_correct_permissions $FILE $PERMISSIONS
+        if [ $FNRET = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            crit "$FILE has not $PERMISSIONS permissions set"
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    for FILE in $FILES; do
+        does_file_exist $FILE
+        if [ $FNRET != 0 ]; then
+            info "$FILE does not exist"
+            touch $FILE
+        fi
+        has_file_correct_ownership $FILE $USER $GROUP
+        if [ $FNRET = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "$FILE is not $USER:$GROUP ownership set"
+            chown $USER:$GROUP $FILE
+        fi
+        has_file_correct_permissions $FILE $PERMISSIONS
+        if [ $FNRET = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0$PERMISSIONS $FILE
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
diff --git a/bin/hardening/11.2_remove_os_info_warning_banners.sh b/bin/hardening/11.2_remove_os_info_warning_banners.sh
new file mode 100755
index 0000000..9ed0bc9
--- /dev/null
+++ b/bin/hardening/11.2_remove_os_info_warning_banners.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 11.2 Remove OS Information from Login Warning Banners (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+FILES='/etc/motd /etc/issue /etc/issue.net'
+PATTERN='(\\v|\\r|\\m|\\s)'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    for FILE in $FILES; do
+        does_pattern_exists_in_file $FILE "$PATTERN"
+        if [ $FNRET = 0 ]; then
+            crit "$PATTERN is present in $FILE"
+        else
+            ok "$PATTERN is not present in $FILE"
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    for FILE in $FILES; do
+        does_pattern_exists_in_file $FILE "$PATTERN"
+        if [ $FNRET = 0 ]; then
+            warn "$PATTERN is present in $FILE"
+            delete_line_in_file $FILE $PATTERN
+        else
+            ok "$PATTERN is not present in $FILE"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
diff --git a/bin/hardening/11.3_graphical_warning_banners.sh b/bin/hardening/11.3_graphical_warning_banners.sh
new file mode 100755
index 0000000..7126b93
--- /dev/null
+++ b/bin/hardening/11.3_graphical_warning_banners.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 11.3 Set Graphical Warning Banner (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    info "Not implemented yet"
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    info "Not implemented yet"
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
diff --git a/bin/hardening/9.5_restrict_su.sh b/bin/hardening/9.5_restrict_su.sh
index 70d6922..90737da 100755
--- a/bin/hardening/9.5_restrict_su.sh
+++ b/bin/hardening/9.5_restrict_su.sh
@@ -6,7 +6,7 @@
 #
 
 #
-# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
+# 9.5 Restrict Access to the su Command (Scored)
 #
 
 set -e # One error, it's over
diff --git a/etc/conf.d/10.5_lock_inactive_user_account.cfg b/etc/conf.d/10.5_lock_inactive_user_account.cfg
new file mode 100644
index 0000000..e1e4502
--- /dev/null
+++ b/etc/conf.d/10.5_lock_inactive_user_account.cfg
@@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
diff --git a/etc/conf.d/11.1_warning_banners.cfg b/etc/conf.d/11.1_warning_banners.cfg
new file mode 100644
index 0000000..e1e4502
--- /dev/null
+++ b/etc/conf.d/11.1_warning_banners.cfg
@@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
diff --git a/etc/conf.d/11.2_remove_os_info_warning_banners.cfg b/etc/conf.d/11.2_remove_os_info_warning_banners.cfg
new file mode 100644
index 0000000..e1e4502
--- /dev/null
+++ b/etc/conf.d/11.2_remove_os_info_warning_banners.cfg
@@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
diff --git a/etc/conf.d/11.3_graphical_warning_banners.cfg b/etc/conf.d/11.3_graphical_warning_banners.cfg
new file mode 100644
index 0000000..e1e4502
--- /dev/null
+++ b/etc/conf.d/11.3_graphical_warning_banners.cfg
@@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
diff --git a/lib/utils.sh b/lib/utils.sh
index f382475..adc3e30 100644
--- a/lib/utils.sh
+++ b/lib/utils.sh
@@ -123,8 +123,9 @@ add_line_file_before_pattern() {
     local LINE=$2
     local PATTERN=$3
 
-    backup_file "$1"
+    backup_file "$FILE"
     debug "Inserting $LINE before $PATTERN in $FILE"
+    PATTERN=$(sed 's@/@\/@g' <<< $PATTERN)
     debug "sed -i '/$PATTERN/i $LINE' $FILE"
     sed -i "/$PATTERN/i $LINE" $FILE
     FNRET=0
@@ -135,13 +136,26 @@ replace_in_file() {
     local SOURCE=$2
     local DESTINATION=$3
 
-    backup_file "$1"
+    backup_file "$FILE"
     debug "Replacing $SOURCE to $DESTINATION in $FILE"
+    SOURCE=$(sed 's@/@\/@g' <<< $SOURCE)
     debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
     sed -i "s/$SOURCE/$DESTINATION/g" $FILE
     FNRET=0
 }
 
+delete_line_in_file() {
+    local FILE=$1
+    local PATTERN=$2
+
+    backup_file "$FILE"
+    debug "Deleting lines from $FILE containing $PATTERN"
+    PATTERN=$(sed 's@/@\/@g' <<< $PATTERN)
+    debug "sed -i '/$PATTERN/d' $FILE"
+    sed -i "/$PATTERN/d" $FILE
+    FNRET=0
+}
+
 #
 # Users and groups
 #