mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-22 22:15:24 +01:00
ADD(1.3.x): add new scripts for debian10
This commit is contained in:
parent
0204bb0942
commit
87bf29b5fe
66
bin/hardening/1.3.1_install_sudo.sh
Executable file
66
bin/hardening/1.3.1_install_sudo.sh
Executable file
@ -0,0 +1,66 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.3.1 Ensure sudo is installed (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Install sudo to permit users to execute command as superuser or as another user."
|
||||
|
||||
PACKAGE='sudo'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" != 0 ]; then
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
is_pkg_installed "$PACKAGE"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install "$PACKAGE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
80
bin/hardening/1.3.2_pty_sudo.sh
Executable file
80
bin/hardening/1.3.2_pty_sudo.sh
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.3.2 Ensure sudo commands use pty (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure sudo can only be run from a pseudo pty."
|
||||
|
||||
PATTERN='^\s*Defaults\s+([^#]+,\s*)?use_pty(,\s+\S+\s*)*(\s+#.*)?$'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
FOUND=0
|
||||
for f in /etc/{sudoers,sudoers.d/*}; do
|
||||
does_pattern_exist_in_file_nocase "$f" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ "$FOUND" = 1 ]]; then
|
||||
ok "Defaults use_pty found in sudoers file"
|
||||
else
|
||||
crit "Defaults use_pty not found in sudoers files"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
FOUND=0
|
||||
for f in /etc/{sudoers,sudoers.d/*}; do
|
||||
does_pattern_exist_in_file_nocase "$f" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ "$FOUND" = 1 ]]; then
|
||||
ok "Defaults use_pty found in sudoers file"
|
||||
else
|
||||
warn "Defaults use_pty not found in sudoers files, fixing"
|
||||
add_line_file_before_pattern /etc/sudoers "Defaults use_pty" "# Host alias specification"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
80
bin/hardening/1.3.3_logfile_sudo.sh
Executable file
80
bin/hardening/1.3.3_logfile_sudo.sh
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
# 1.3.3 Ensure sudo log file exists (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure sudo log files exists."
|
||||
|
||||
PATTERN="^\s*Defaults\s+logfile=\S+"
|
||||
LOGFILE="/var/log/sudo.log"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
FOUND=0
|
||||
for f in /etc/{sudoers,sudoers.d/*}; do
|
||||
does_pattern_exist_in_file_nocase "$f" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ "$FOUND" = 1 ]]; then
|
||||
ok "Defaults log file found in sudoers file"
|
||||
else
|
||||
crit "Defaults log file not found in sudoers files"
|
||||
fi
|
||||
}
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
FOUND=0
|
||||
for f in /etc/{sudoers,sudoers.d/*}; do
|
||||
does_pattern_exist_in_file_nocase "$f" "$PATTERN"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ "$FOUND" = 1 ]]; then
|
||||
ok "Defaults log file found in sudoers file"
|
||||
else
|
||||
warn "Defaults log file not found in sudoers files, fixing"
|
||||
add_line_file_before_pattern /etc/sudoers "Defaults logfile=\"$LOGFILE\"" "# Host alias specification"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ -r /etc/default/cis-hardening ]; then
|
||||
# shellcheck source=../../debian/default
|
||||
. /etc/default/cis-hardening
|
||||
fi
|
||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
||||
exit 128
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=../../lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
fi
|
18
tests/hardening/1.3.1_install_sudo.sh
Normal file
18
tests/hardening/1.3.1_install_sudo.sh
Normal file
@ -0,0 +1,18 @@
|
||||
# shellcheck shell=bash
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "sudo is installed"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
18
tests/hardening/1.3.2_pty_sudo.sh
Normal file
18
tests/hardening/1.3.2_pty_sudo.sh
Normal file
@ -0,0 +1,18 @@
|
||||
# shellcheck shell=bash
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "Defaults use_pty found in sudoers file"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
18
tests/hardening/1.3.3_logfile_sudo.sh
Normal file
18
tests/hardening/1.3.3_logfile_sudo.sh
Normal file
@ -0,0 +1,18 @@
|
||||
# shellcheck shell=bash
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "Defaults log file found in sudoers file"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
Loading…
Reference in New Issue
Block a user