From 87bf29b5fe82a116c762cec7969e4817e5d9d7a0 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Mon, 21 Dec 2020 15:52:47 +0100 Subject: [PATCH] ADD(1.3.x): add new scripts for debian10 --- bin/hardening/1.3.1_install_sudo.sh | 66 ++++++++++++++++++++++ bin/hardening/1.3.2_pty_sudo.sh | 80 +++++++++++++++++++++++++++ bin/hardening/1.3.3_logfile_sudo.sh | 80 +++++++++++++++++++++++++++ tests/hardening/1.3.1_install_sudo.sh | 18 ++++++ tests/hardening/1.3.2_pty_sudo.sh | 18 ++++++ tests/hardening/1.3.3_logfile_sudo.sh | 18 ++++++ 6 files changed, 280 insertions(+) create mode 100755 bin/hardening/1.3.1_install_sudo.sh create mode 100755 bin/hardening/1.3.2_pty_sudo.sh create mode 100755 bin/hardening/1.3.3_logfile_sudo.sh create mode 100644 tests/hardening/1.3.1_install_sudo.sh create mode 100644 tests/hardening/1.3.2_pty_sudo.sh create mode 100644 tests/hardening/1.3.3_logfile_sudo.sh diff --git a/bin/hardening/1.3.1_install_sudo.sh b/bin/hardening/1.3.1_install_sudo.sh new file mode 100755 index 0000000..b2a99f7 --- /dev/null +++ b/bin/hardening/1.3.1_install_sudo.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.3.1 Ensure sudo is installed (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="Install sudo to permit users to execute command as superuser or as another user." + +PACKAGE='sudo' + +# This function will be called if the script status is on enabled / audit mode +audit() { + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then + crit "$PACKAGE is not installed!" + else + ok "$PACKAGE is installed" + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install "$PACKAGE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.3.2_pty_sudo.sh b/bin/hardening/1.3.2_pty_sudo.sh new file mode 100755 index 0000000..c61d6ef --- /dev/null +++ b/bin/hardening/1.3.2_pty_sudo.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.3.2 Ensure sudo commands use pty (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="Ensure sudo can only be run from a pseudo pty." + +PATTERN='^\s*Defaults\s+([^#]+,\s*)?use_pty(,\s+\S+\s*)*(\s+#.*)?$' + +# This function will be called if the script status is on enabled / audit mode +audit() { + FOUND=0 + for f in /etc/{sudoers,sudoers.d/*}; do + does_pattern_exist_in_file_nocase "$f" "$PATTERN" + if [ "$FNRET" = 0 ]; then + FOUND=1 + fi + done + + if [[ "$FOUND" = 1 ]]; then + ok "Defaults use_pty found in sudoers file" + else + crit "Defaults use_pty not found in sudoers files" + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + FOUND=0 + for f in /etc/{sudoers,sudoers.d/*}; do + does_pattern_exist_in_file_nocase "$f" "$PATTERN" + if [ "$FNRET" = 0 ]; then + FOUND=1 + fi + done + + if [[ "$FOUND" = 1 ]]; then + ok "Defaults use_pty found in sudoers file" + else + warn "Defaults use_pty not found in sudoers files, fixing" + add_line_file_before_pattern /etc/sudoers "Defaults use_pty" "# Host alias specification" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.3.3_logfile_sudo.sh b/bin/hardening/1.3.3_logfile_sudo.sh new file mode 100755 index 0000000..2ff1416 --- /dev/null +++ b/bin/hardening/1.3.3_logfile_sudo.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# 1.3.3 Ensure sudo log file exists (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=2 +# shellcheck disable=2034 +DESCRIPTION="Ensure sudo log files exists." + +PATTERN="^\s*Defaults\s+logfile=\S+" +LOGFILE="/var/log/sudo.log" + +# This function will be called if the script status is on enabled / audit mode +audit() { + FOUND=0 + for f in /etc/{sudoers,sudoers.d/*}; do + does_pattern_exist_in_file_nocase "$f" "$PATTERN" + if [ "$FNRET" = 0 ]; then + FOUND=1 + fi + done + + if [[ "$FOUND" = 1 ]]; then + ok "Defaults log file found in sudoers file" + else + crit "Defaults log file not found in sudoers files" + fi +} +# This function will be called if the script status is on enabled mode +apply() { + FOUND=0 + for f in /etc/{sudoers,sudoers.d/*}; do + does_pattern_exist_in_file_nocase "$f" "$PATTERN" + if [ "$FNRET" = 0 ]; then + FOUND=1 + fi + done + + if [[ "$FOUND" = 1 ]]; then + ok "Defaults log file found in sudoers file" + else + warn "Defaults log file not found in sudoers files, fixing" + add_line_file_before_pattern /etc/sudoers "Defaults logfile=\"$LOGFILE\"" "# Host alias specification" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/tests/hardening/1.3.1_install_sudo.sh b/tests/hardening/1.3.1_install_sudo.sh new file mode 100644 index 0000000..38538e1 --- /dev/null +++ b/tests/hardening/1.3.1_install_sudo.sh @@ -0,0 +1,18 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "sudo is installed" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all +} diff --git a/tests/hardening/1.3.2_pty_sudo.sh b/tests/hardening/1.3.2_pty_sudo.sh new file mode 100644 index 0000000..2827308 --- /dev/null +++ b/tests/hardening/1.3.2_pty_sudo.sh @@ -0,0 +1,18 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "Defaults use_pty found in sudoers file" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all +} diff --git a/tests/hardening/1.3.3_logfile_sudo.sh b/tests/hardening/1.3.3_logfile_sudo.sh new file mode 100644 index 0000000..033e80c --- /dev/null +++ b/tests/hardening/1.3.3_logfile_sudo.sh @@ -0,0 +1,18 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "Defaults log file found in sudoers file" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all +}