From 87e242a42d43d053d901cbb9421edf81a676a164 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Tue, 22 Dec 2020 15:58:10 +0100 Subject: [PATCH] Add commentaries, renum scripts --- bin/hardening/1.1.1.1_disable_freevxfs.sh | 2 ++ bin/hardening/1.1.1.2_disable_jffs2.sh | 2 ++ bin/hardening/1.1.1.3_disable_hfs.sh | 2 ++ bin/hardening/1.1.1.4_disable_hfsplus.sh | 2 ++ bin/hardening/1.1.1.5_disable_squashfs.sh | 2 ++ bin/hardening/1.1.1.6_disable_udf.sh | 2 ++ bin/hardening/1.1.1.7_restrict_fat.sh | 10 ++++++---- bin/hardening/1.1.12_var_log_audit_partition.sh | 1 + bin/hardening/1.1.23_disable_usb_storage.sh | 10 ++++++---- ...1_install_tripwire.sh => 1.4.1_install_tripwire.sh} | 5 +++-- .../{8.3.2_tripwire_cron.sh => 1.4.2_tripwire_cron.sh} | 4 +++- bin/hardening/1.7.1.1_install_apparmor.sh | 8 ++++---- bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh | 8 ++++---- bin/hardening/1.7.1.4_enforcing_apparmor.sh | 8 ++++---- bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh | 8 ++++---- bin/hardening/2.2.17_disable_nis.sh | 2 +- bin/hardening/3.5.1.1_enable_firewall.sh | 3 ++- bin/hardening/4.1.1.1_install_auditd.sh | 8 ++++---- bin/hardening/4.1.1.4_audit_backlog_limit.sh | 8 ++++---- bin/hardening/4.2.1.1_install_syslog-ng.sh | 2 +- bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh | 4 ++-- bin/hardening/4.2.2.1_journald_logs.sh | 10 +++++----- bin/hardening/4.2.2.2_journald_compress.sh | 8 ++++---- bin/hardening/4.2.2.3_journald_write_persistent.sh | 8 ++++---- bin/hardening/4.3_configure_logrotate.sh | 1 + bin/hardening/4.4_logrotate_permissions.sh | 8 ++++---- bin/hardening/5.2.20_enable_ssh_pam.sh | 8 ++++---- .../5.2.21_disable_ssh_allow_tcp_forwarding.sh | 8 ++++---- bin/hardening/5.2.22_configure_ssh_max_startups.sh | 8 ++++---- bin/hardening/5.2.23_limit_ssh_max_sessions.sh | 8 ++++---- bin/hardening/5.3.4_acc_pam_sha512.sh | 3 +-- bin/hardening/5.4.1.5_last_password_change_past.sh | 8 ++++---- bin/hardening/5.4.5_default_timeout.sh | 8 ++++---- bin/hardening/6.1.8_etc_group-_permissions.sh | 2 +- bin/hardening/6.1.9_etc_gshadow_permissions.sh | 2 +- ...auditd_kernel.sh => 99.4.0_enable_auditd_kernel.sh} | 0 src/skel | 4 ++-- tests/hardening/1.1.1.7_restrict_fat.sh | 2 +- tests/hardening/1.1.23_disable_usb_storage.sh | 2 +- ...1_install_tripwire.sh => 1.4.1_install_tripwire.sh} | 0 .../{8.3.2_tripwire_cron.sh => 1.4.2_tripwire_cron.sh} | 0 tests/hardening/1.7.1.1_install_apparmor.sh | 2 +- .../hardening/1.7.1.3_enforce_or_complain_apparmor.sh | 2 +- tests/hardening/1.7.1.4_enforcing_apparmor.sh | 2 +- tests/hardening/2.2.1.2_configure_systemd-timesyncd.sh | 2 +- tests/hardening/4.1.1.1_install_auditd.sh | 2 +- tests/hardening/4.2.2.1_journald_logs.sh | 2 +- tests/hardening/4.2.2.2_journald_compress.sh | 2 +- tests/hardening/4.2.2.3_journald_write_persistent.sh | 2 +- tests/hardening/4.4_logrotate_permissions.sh | 2 +- tests/hardening/5.2.20_enable_ssh_pam.sh | 2 +- .../5.2.21_disable_ssh_allow_tcp_forwarding.sh | 2 +- tests/hardening/5.2.22_configure_ssh_max_startups.sh | 2 +- tests/hardening/5.2.23_limit_ssh_max_sessions.sh | 2 +- tests/hardening/5.4.1.5_last_password_change_past.sh | 2 +- tests/hardening/5.4.5_default_timeout.sh | 2 +- ...auditd_kernel.sh => 99.4.0_enable_auditd_kernel.sh} | 0 57 files changed, 125 insertions(+), 104 deletions(-) rename bin/hardening/{8.3.1_install_tripwire.sh => 1.4.1_install_tripwire.sh} (93%) rename bin/hardening/{8.3.2_tripwire_cron.sh => 1.4.2_tripwire_cron.sh} (94%) rename bin/hardening/{8.0_enable_auditd_kernel.sh => 99.4.0_enable_auditd_kernel.sh} (100%) rename tests/hardening/{8.3.1_install_tripwire.sh => 1.4.1_install_tripwire.sh} (100%) rename tests/hardening/{8.3.2_tripwire_cron.sh => 1.4.2_tripwire_cron.sh} (100%) rename tests/hardening/{8.0_enable_auditd_kernel.sh => 99.4.0_enable_auditd_kernel.sh} (100%) diff --git a/bin/hardening/1.1.1.1_disable_freevxfs.sh b/bin/hardening/1.1.1.1_disable_freevxfs.sh index ed8b7e9..d5c1a70 100755 --- a/bin/hardening/1.1.1.1_disable_freevxfs.sh +++ b/bin/hardening/1.1.1.1_disable_freevxfs.sh @@ -17,6 +17,8 @@ HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Disable mounting of freevxfs filesystems." +# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels + KERNEL_OPTION="CONFIG_VXFS_FS" MODULE_NAME="freevxfs" diff --git a/bin/hardening/1.1.1.2_disable_jffs2.sh b/bin/hardening/1.1.1.2_disable_jffs2.sh index 6d5f46d..2ed8384 100755 --- a/bin/hardening/1.1.1.2_disable_jffs2.sh +++ b/bin/hardening/1.1.1.2_disable_jffs2.sh @@ -17,6 +17,8 @@ HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Disable mounting of jffs2 filesystems." +# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels + KERNEL_OPTION="CONFIG_JFFS2_FS" MODULE_NAME="jffs2" diff --git a/bin/hardening/1.1.1.3_disable_hfs.sh b/bin/hardening/1.1.1.3_disable_hfs.sh index dbb4bb2..eb8ca14 100755 --- a/bin/hardening/1.1.1.3_disable_hfs.sh +++ b/bin/hardening/1.1.1.3_disable_hfs.sh @@ -17,6 +17,8 @@ HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Disable mounting of hfs filesystems." +# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels + KERNEL_OPTION="CONFIG_HFS_FS" MODULE_FILE="hfs" diff --git a/bin/hardening/1.1.1.4_disable_hfsplus.sh b/bin/hardening/1.1.1.4_disable_hfsplus.sh index 7527ca0..28118fc 100755 --- a/bin/hardening/1.1.1.4_disable_hfsplus.sh +++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh @@ -17,6 +17,8 @@ HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Disable mounting of hfsplus filesystems." +# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels + KERNEL_OPTION="CONFIG_HFSPLUS_FS" MODULE_FILE="hfsplus" diff --git a/bin/hardening/1.1.1.5_disable_squashfs.sh b/bin/hardening/1.1.1.5_disable_squashfs.sh index f8bc1a2..8b088aa 100755 --- a/bin/hardening/1.1.1.5_disable_squashfs.sh +++ b/bin/hardening/1.1.1.5_disable_squashfs.sh @@ -17,6 +17,8 @@ HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Disable mounting of squashfs filesytems." +# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels + KERNEL_OPTION="CONFIG_SQUASHFS" MODULE_FILE="squashfs" diff --git a/bin/hardening/1.1.1.6_disable_udf.sh b/bin/hardening/1.1.1.6_disable_udf.sh index 3f209c4..913c657 100755 --- a/bin/hardening/1.1.1.6_disable_udf.sh +++ b/bin/hardening/1.1.1.6_disable_udf.sh @@ -17,6 +17,8 @@ HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Disable mounting of udf filesystems." +# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels + KERNEL_OPTION="CONFIG_UDF_FS" MODULE_FILE="udf" diff --git a/bin/hardening/1.1.1.7_restrict_fat.sh b/bin/hardening/1.1.1.7_restrict_fat.sh index 0c74c93..12071c9 100755 --- a/bin/hardening/1.1.1.7_restrict_fat.sh +++ b/bin/hardening/1.1.1.7_restrict_fat.sh @@ -17,13 +17,15 @@ HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Limit mounting of FAT filesystems." +# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels + # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +40,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/1.1.12_var_log_audit_partition.sh b/bin/hardening/1.1.12_var_log_audit_partition.sh index 404e4e7..05b2f47 100755 --- a/bin/hardening/1.1.12_var_log_audit_partition.sh +++ b/bin/hardening/1.1.12_var_log_audit_partition.sh @@ -1,5 +1,6 @@ #!/bin/bash +# run-shellcheck # # CIS Debian Hardening # diff --git a/bin/hardening/1.1.23_disable_usb_storage.sh b/bin/hardening/1.1.23_disable_usb_storage.sh index b139f17..3a4882a 100755 --- a/bin/hardening/1.1.23_disable_usb_storage.sh +++ b/bin/hardening/1.1.23_disable_usb_storage.sh @@ -17,13 +17,15 @@ HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Disable USB storage." +# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels + # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +40,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/8.3.1_install_tripwire.sh b/bin/hardening/1.4.1_install_tripwire.sh similarity index 93% rename from bin/hardening/8.3.1_install_tripwire.sh rename to bin/hardening/1.4.1_install_tripwire.sh index b622ded..aa77d00 100755 --- a/bin/hardening/8.3.1_install_tripwire.sh +++ b/bin/hardening/1.4.1_install_tripwire.sh @@ -6,7 +6,7 @@ # # -# 8.3.1 Install tripwire package (Scored) +# 1.4.1 Ensure tripwire is installed (Scored) # set -e # One error, it's over @@ -17,7 +17,8 @@ HARDENING_LEVEL=4 # shellcheck disable=2034 DESCRIPTION="Ensure tripwire package is installed." -# NB : in CIS, AIDE has been chosen, however we chose tripwire +# Note : in CIS, AIDE has been chosen, however we chose tripwire + PACKAGE='tripwire' # This function will be called if the script status is on enabled / audit mode diff --git a/bin/hardening/8.3.2_tripwire_cron.sh b/bin/hardening/1.4.2_tripwire_cron.sh similarity index 94% rename from bin/hardening/8.3.2_tripwire_cron.sh rename to bin/hardening/1.4.2_tripwire_cron.sh index b23fa5b..80ccfdd 100755 --- a/bin/hardening/8.3.2_tripwire_cron.sh +++ b/bin/hardening/1.4.2_tripwire_cron.sh @@ -6,7 +6,7 @@ # # -# 8.3.2 Implement Periodic Execution of File Integrity (Scored) +# 1.4.2 Ensure filesysteme integrity is regularly checked (Scored) # set -e # One error, it's over @@ -17,6 +17,8 @@ HARDENING_LEVEL=4 # shellcheck disable=2034 DESCRIPTION="Implemet periodic execution of file integrity." +# Note : in CIS, AIDE has been chosen, however we chose tripwire + FILES="/etc/crontab" DIRECTORY="/etc/cron.d" PATTERN='tripwire --check' diff --git a/bin/hardening/1.7.1.1_install_apparmor.sh b/bin/hardening/1.7.1.1_install_apparmor.sh index 33fcea7..b70e3a4 100755 --- a/bin/hardening/1.7.1.1_install_apparmor.sh +++ b/bin/hardening/1.7.1.1_install_apparmor.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Install AppArmor." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh b/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh index d507013..bfefa12 100755 --- a/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh +++ b/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Enforce or complain AppArmor profiles." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/1.7.1.4_enforcing_apparmor.sh b/bin/hardening/1.7.1.4_enforcing_apparmor.sh index 1cc664c..0b3fa40 100755 --- a/bin/hardening/1.7.1.4_enforcing_apparmor.sh +++ b/bin/hardening/1.7.1.4_enforcing_apparmor.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Enforce Apparmor profiles." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh b/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh index ee5f95e..67d8067 100755 --- a/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh +++ b/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Configure systemd-timesyncd." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/2.2.17_disable_nis.sh b/bin/hardening/2.2.17_disable_nis.sh index c9e76bd..d45ed1d 100755 --- a/bin/hardening/2.2.17_disable_nis.sh +++ b/bin/hardening/2.2.17_disable_nis.sh @@ -24,7 +24,7 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - : + : } # This function will check config parameters required diff --git a/bin/hardening/3.5.1.1_enable_firewall.sh b/bin/hardening/3.5.1.1_enable_firewall.sh index fcbf066..842966b 100755 --- a/bin/hardening/3.5.1.1_enable_firewall.sh +++ b/bin/hardening/3.5.1.1_enable_firewall.sh @@ -17,8 +17,9 @@ HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)." -# Quick note here : CIS recommends your iptables rules to be persistent. +# Note: CIS recommends your iptables rules to be persistent. # Do as you want, but this script does not handle this +# At OVH, we use iptables PACKAGE='iptables' diff --git a/bin/hardening/4.1.1.1_install_auditd.sh b/bin/hardening/4.1.1.1_install_auditd.sh index d6e9b75..b97f56c 100755 --- a/bin/hardening/4.1.1.1_install_auditd.sh +++ b/bin/hardening/4.1.1.1_install_auditd.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=4 DESCRIPTION="Install auditd." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/4.1.1.4_audit_backlog_limit.sh b/bin/hardening/4.1.1.4_audit_backlog_limit.sh index 8e93d96..aaa9af1 100755 --- a/bin/hardening/4.1.1.4_audit_backlog_limit.sh +++ b/bin/hardening/4.1.1.4_audit_backlog_limit.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=4 DESCRIPTION="Configure audit_backlog_limit to be sufficient." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/4.2.1.1_install_syslog-ng.sh b/bin/hardening/4.2.1.1_install_syslog-ng.sh index 8e7a804..5a9ec7b 100755 --- a/bin/hardening/4.2.1.1_install_syslog-ng.sh +++ b/bin/hardening/4.2.1.1_install_syslog-ng.sh @@ -17,7 +17,7 @@ HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Install syslog-ng to manage logs" -# NB : in CIS, rsyslog has been chosen, however we chose syslog-ng +# Note: in CIS, rsyslog has been chosen, however we chose syslog-ng PACKAGE='syslog-ng' # This function will be called if the script status is on enabled / audit mode diff --git a/bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh b/bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh index 377bc53..2794093 100755 --- a/bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh +++ b/bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh @@ -12,13 +12,13 @@ set -e # One error, it's over set -u # One variable unset, it's over -# Note: this is not exacly the same check as the one described in CIS PDF - # shellcheck disable=2034 HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Create and set permissions on syslog-ng logfiles." +# Note: this is not exacly the same check as the one described in CIS PDF + PERMISSIONS='' USER='' GROUP='' diff --git a/bin/hardening/4.2.2.1_journald_logs.sh b/bin/hardening/4.2.2.1_journald_logs.sh index 9df70b5..95916d5 100755 --- a/bin/hardening/4.2.2.1_journald_logs.sh +++ b/bin/hardening/4.2.2.1_journald_logs.sh @@ -6,7 +6,7 @@ # # -# 4.2.2.1 Ensure journald is configured to send logs to syslog-ng (Scored) +# 4.2.2.1 Ensure journald is configured to send logs to syslog-ng (Scored) # set -e # One error, it's over @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Configure journald to send logs to syslog-ng." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/4.2.2.2_journald_compress.sh b/bin/hardening/4.2.2.2_journald_compress.sh index c5f4510..5541466 100755 --- a/bin/hardening/4.2.2.2_journald_compress.sh +++ b/bin/hardening/4.2.2.2_journald_compress.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Configure journald to send logs to syslog-ng." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } rsyslog # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/4.2.2.3_journald_write_persistent.sh b/bin/hardening/4.2.2.3_journald_write_persistent.sh index 66941e7..b1ef893 100755 --- a/bin/hardening/4.2.2.3_journald_write_persistent.sh +++ b/bin/hardening/4.2.2.3_journald_write_persistent.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Configure journald to write to a persistent location." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/4.3_configure_logrotate.sh b/bin/hardening/4.3_configure_logrotate.sh index 903c5dd..06abe87 100755 --- a/bin/hardening/4.3_configure_logrotate.sh +++ b/bin/hardening/4.3_configure_logrotate.sh @@ -1,5 +1,6 @@ #!/bin/bash +# run-shellcheck # # CIS Debian Hardening # diff --git a/bin/hardening/4.4_logrotate_permissions.sh b/bin/hardening/4.4_logrotate_permissions.sh index ab712fa..29e6f24 100755 --- a/bin/hardening/4.4_logrotate_permissions.sh +++ b/bin/hardening/4.4_logrotate_permissions.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Configure logrotate to assign appropriate permissions." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/5.2.20_enable_ssh_pam.sh b/bin/hardening/5.2.20_enable_ssh_pam.sh index 080e0a2..2c97335 100755 --- a/bin/hardening/5.2.20_enable_ssh_pam.sh +++ b/bin/hardening/5.2.20_enable_ssh_pam.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Enable SSH PAM." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh b/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh index 24d9742..04567e9 100755 --- a/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh +++ b/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Disable SSH AllowTCPForwarding." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/5.2.22_configure_ssh_max_startups.sh b/bin/hardening/5.2.22_configure_ssh_max_startups.sh index f1d58cd..e361fd5 100755 --- a/bin/hardening/5.2.22_configure_ssh_max_startups.sh +++ b/bin/hardening/5.2.22_configure_ssh_max_startups.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Configure SSHMaxStartups." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/5.2.23_limit_ssh_max_sessions.sh b/bin/hardening/5.2.23_limit_ssh_max_sessions.sh index f1f6f6e..4f756ac 100755 --- a/bin/hardening/5.2.23_limit_ssh_max_sessions.sh +++ b/bin/hardening/5.2.23_limit_ssh_max_sessions.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Limit SSH MaxSessions." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/5.3.4_acc_pam_sha512.sh b/bin/hardening/5.3.4_acc_pam_sha512.sh index 0752b6a..25a40ab 100755 --- a/bin/hardening/5.3.4_acc_pam_sha512.sh +++ b/bin/hardening/5.3.4_acc_pam_sha512.sh @@ -2,7 +2,7 @@ # run-shellcheck # -# OVH Security audit +# CIS Debian Hardening # # @@ -17,7 +17,6 @@ HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted" - CONF_FILE="/etc/pam.d/common-password" CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512" diff --git a/bin/hardening/5.4.1.5_last_password_change_past.sh b/bin/hardening/5.4.1.5_last_password_change_past.sh index 81289ee..1ada746 100755 --- a/bin/hardening/5.4.1.5_last_password_change_past.sh +++ b/bin/hardening/5.4.1.5_last_password_change_past.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Check that user last paswword change date is in the past." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/5.4.5_default_timeout.sh b/bin/hardening/5.4.5_default_timeout.sh index dbec816..22eb036 100755 --- a/bin/hardening/5.4.5_default_timeout.sh +++ b/bin/hardening/5.4.5_default_timeout.sh @@ -18,12 +18,12 @@ HARDENING_LEVEL=3 DESCRIPTION="Configure the default user shell timeout." # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } @@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening fi if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." exit 128 fi diff --git a/bin/hardening/6.1.8_etc_group-_permissions.sh b/bin/hardening/6.1.8_etc_group-_permissions.sh index 6de4f7c..8bcd4cb 100755 --- a/bin/hardening/6.1.8_etc_group-_permissions.sh +++ b/bin/hardening/6.1.8_etc_group-_permissions.sh @@ -6,7 +6,7 @@ # # -# 6.1.2 Ensure permissions on /etc/group- are configured (Scored) +# 6.1.8 Ensure permissions on /etc/group- are configured (Scored) # set -e # One error, it's over diff --git a/bin/hardening/6.1.9_etc_gshadow_permissions.sh b/bin/hardening/6.1.9_etc_gshadow_permissions.sh index e6b49f5..b1e7871 100755 --- a/bin/hardening/6.1.9_etc_gshadow_permissions.sh +++ b/bin/hardening/6.1.9_etc_gshadow_permissions.sh @@ -6,7 +6,7 @@ # # -# 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) +# 6.1.9 Ensure permissions on /etc/gshadow are configured (Scored) # set -e # One error, it's over diff --git a/bin/hardening/8.0_enable_auditd_kernel.sh b/bin/hardening/99.4.0_enable_auditd_kernel.sh similarity index 100% rename from bin/hardening/8.0_enable_auditd_kernel.sh rename to bin/hardening/99.4.0_enable_auditd_kernel.sh diff --git a/src/skel b/src/skel index 26ee66c..74dd5ba 100644 --- a/src/skel +++ b/src/skel @@ -13,12 +13,12 @@ set -e # One error, it's over set -u # One variable unset, it's over # This function will be called if the script status is on enabled / audit mode -audit () { +audit() { : } # This function will be called if the script status is on enabled mode -apply () { +apply() { : } diff --git a/tests/hardening/1.1.1.7_restrict_fat.sh b/tests/hardening/1.1.1.7_restrict_fat.sh index e342a1f..5195a49 100644 --- a/tests/hardening/1.1.1.7_restrict_fat.sh +++ b/tests/hardening/1.1.1.7_restrict_fat.sh @@ -17,4 +17,4 @@ test_audit() { # the apply function because it can't be automated or it is very # # long to test and not very useful. # ################################################################## -} \ No newline at end of file +} diff --git a/tests/hardening/1.1.23_disable_usb_storage.sh b/tests/hardening/1.1.23_disable_usb_storage.sh index dd89e0f..a5243cb 100644 --- a/tests/hardening/1.1.23_disable_usb_storage.sh +++ b/tests/hardening/1.1.23_disable_usb_storage.sh @@ -13,4 +13,4 @@ test_audit() { # the apply function because it can't be automated or it is very # # long to test and not very useful. # ################################################################## -} \ No newline at end of file +} diff --git a/tests/hardening/8.3.1_install_tripwire.sh b/tests/hardening/1.4.1_install_tripwire.sh similarity index 100% rename from tests/hardening/8.3.1_install_tripwire.sh rename to tests/hardening/1.4.1_install_tripwire.sh diff --git a/tests/hardening/8.3.2_tripwire_cron.sh b/tests/hardening/1.4.2_tripwire_cron.sh similarity index 100% rename from tests/hardening/8.3.2_tripwire_cron.sh rename to tests/hardening/1.4.2_tripwire_cron.sh diff --git a/tests/hardening/1.7.1.1_install_apparmor.sh b/tests/hardening/1.7.1.1_install_apparmor.sh index 837cad0..f85b20d 100644 --- a/tests/hardening/1.7.1.1_install_apparmor.sh +++ b/tests/hardening/1.7.1.1_install_apparmor.sh @@ -8,4 +8,4 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # TODO fill comprehensive tests -} \ No newline at end of file +} diff --git a/tests/hardening/1.7.1.3_enforce_or_complain_apparmor.sh b/tests/hardening/1.7.1.3_enforce_or_complain_apparmor.sh index 837cad0..f85b20d 100644 --- a/tests/hardening/1.7.1.3_enforce_or_complain_apparmor.sh +++ b/tests/hardening/1.7.1.3_enforce_or_complain_apparmor.sh @@ -8,4 +8,4 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # TODO fill comprehensive tests -} \ No newline at end of file +} diff --git a/tests/hardening/1.7.1.4_enforcing_apparmor.sh b/tests/hardening/1.7.1.4_enforcing_apparmor.sh index 837cad0..f85b20d 100644 --- a/tests/hardening/1.7.1.4_enforcing_apparmor.sh +++ b/tests/hardening/1.7.1.4_enforcing_apparmor.sh @@ -8,4 +8,4 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # TODO fill comprehensive tests -} \ No newline at end of file +} diff --git a/tests/hardening/2.2.1.2_configure_systemd-timesyncd.sh b/tests/hardening/2.2.1.2_configure_systemd-timesyncd.sh index 837cad0..f85b20d 100644 --- a/tests/hardening/2.2.1.2_configure_systemd-timesyncd.sh +++ b/tests/hardening/2.2.1.2_configure_systemd-timesyncd.sh @@ -8,4 +8,4 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # TODO fill comprehensive tests -} \ No newline at end of file +} diff --git a/tests/hardening/4.1.1.1_install_auditd.sh b/tests/hardening/4.1.1.1_install_auditd.sh index 837cad0..f85b20d 100644 --- a/tests/hardening/4.1.1.1_install_auditd.sh +++ b/tests/hardening/4.1.1.1_install_auditd.sh @@ -8,4 +8,4 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # TODO fill comprehensive tests -} \ No newline at end of file +} diff --git a/tests/hardening/4.2.2.1_journald_logs.sh b/tests/hardening/4.2.2.1_journald_logs.sh index 837cad0..f85b20d 100644 --- a/tests/hardening/4.2.2.1_journald_logs.sh +++ b/tests/hardening/4.2.2.1_journald_logs.sh @@ -8,4 +8,4 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # TODO fill comprehensive tests -} \ No newline at end of file +} diff --git a/tests/hardening/4.2.2.2_journald_compress.sh b/tests/hardening/4.2.2.2_journald_compress.sh index 837cad0..f85b20d 100644 --- a/tests/hardening/4.2.2.2_journald_compress.sh +++ b/tests/hardening/4.2.2.2_journald_compress.sh @@ -8,4 +8,4 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # TODO fill comprehensive tests -} \ No newline at end of file +} diff --git a/tests/hardening/4.2.2.3_journald_write_persistent.sh b/tests/hardening/4.2.2.3_journald_write_persistent.sh index 837cad0..f85b20d 100644 --- a/tests/hardening/4.2.2.3_journald_write_persistent.sh +++ b/tests/hardening/4.2.2.3_journald_write_persistent.sh @@ -8,4 +8,4 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # TODO fill comprehensive tests -} \ No newline at end of file +} diff --git a/tests/hardening/4.4_logrotate_permissions.sh b/tests/hardening/4.4_logrotate_permissions.sh index 837cad0..f85b20d 100644 --- a/tests/hardening/4.4_logrotate_permissions.sh +++ b/tests/hardening/4.4_logrotate_permissions.sh @@ -8,4 +8,4 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # TODO fill comprehensive tests -} \ No newline at end of file +} diff --git a/tests/hardening/5.2.20_enable_ssh_pam.sh b/tests/hardening/5.2.20_enable_ssh_pam.sh index 837cad0..f85b20d 100644 --- a/tests/hardening/5.2.20_enable_ssh_pam.sh +++ b/tests/hardening/5.2.20_enable_ssh_pam.sh @@ -8,4 +8,4 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # TODO fill comprehensive tests -} \ No newline at end of file +} diff --git a/tests/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh b/tests/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh index 837cad0..f85b20d 100644 --- a/tests/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh +++ b/tests/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh @@ -8,4 +8,4 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # TODO fill comprehensive tests -} \ No newline at end of file +} diff --git a/tests/hardening/5.2.22_configure_ssh_max_startups.sh b/tests/hardening/5.2.22_configure_ssh_max_startups.sh index 837cad0..f85b20d 100644 --- a/tests/hardening/5.2.22_configure_ssh_max_startups.sh +++ b/tests/hardening/5.2.22_configure_ssh_max_startups.sh @@ -8,4 +8,4 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # TODO fill comprehensive tests -} \ No newline at end of file +} diff --git a/tests/hardening/5.2.23_limit_ssh_max_sessions.sh b/tests/hardening/5.2.23_limit_ssh_max_sessions.sh index 837cad0..f85b20d 100644 --- a/tests/hardening/5.2.23_limit_ssh_max_sessions.sh +++ b/tests/hardening/5.2.23_limit_ssh_max_sessions.sh @@ -8,4 +8,4 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # TODO fill comprehensive tests -} \ No newline at end of file +} diff --git a/tests/hardening/5.4.1.5_last_password_change_past.sh b/tests/hardening/5.4.1.5_last_password_change_past.sh index 837cad0..f85b20d 100644 --- a/tests/hardening/5.4.1.5_last_password_change_past.sh +++ b/tests/hardening/5.4.1.5_last_password_change_past.sh @@ -8,4 +8,4 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # TODO fill comprehensive tests -} \ No newline at end of file +} diff --git a/tests/hardening/5.4.5_default_timeout.sh b/tests/hardening/5.4.5_default_timeout.sh index 837cad0..f85b20d 100644 --- a/tests/hardening/5.4.5_default_timeout.sh +++ b/tests/hardening/5.4.5_default_timeout.sh @@ -8,4 +8,4 @@ test_audit() { run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # TODO fill comprehensive tests -} \ No newline at end of file +} diff --git a/tests/hardening/8.0_enable_auditd_kernel.sh b/tests/hardening/99.4.0_enable_auditd_kernel.sh similarity index 100% rename from tests/hardening/8.0_enable_auditd_kernel.sh rename to tests/hardening/99.4.0_enable_auditd_kernel.sh