Add commentaries, renum scripts

bin/hardening/1.1.1.1_disable_freevxfs.sh

@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of freevxfs filesystems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_VXFS_FS"
 MODULE_NAME="freevxfs"
 

bin/hardening/1.1.1.2_disable_jffs2.sh

@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of jffs2 filesystems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_JFFS2_FS"
 MODULE_NAME="jffs2"
 

bin/hardening/1.1.1.3_disable_hfs.sh

@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfs filesystems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_HFS_FS"
 MODULE_FILE="hfs"
 

bin/hardening/1.1.1.4_disable_hfsplus.sh

@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfsplus filesystems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
 MODULE_FILE="hfsplus"
 

bin/hardening/1.1.1.5_disable_squashfs.sh

@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of squashfs filesytems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_SQUASHFS"
 MODULE_FILE="squashfs"
 

bin/hardening/1.1.1.6_disable_udf.sh

@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of udf filesystems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_UDF_FS"
 MODULE_FILE="udf"
 

bin/hardening/1.1.1.7_restrict_fat.sh

@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Limit mounting of FAT filesystems."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     :

bin/hardening/1.1.12_var_log_audit_partition.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 
+# run-shellcheck
 #
 # CIS Debian Hardening
 #

bin/hardening/1.1.23_disable_usb_storage.sh

@@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable USB storage."
 
+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     :

bin/hardening/1.4.1_install_tripwire.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 8.3.1 Install tripwire package (Scored)
+# 1.4.1 Ensure tripwire is installed (Scored)
 #
 
 set -e # One error, it's over
@@ -17,7 +17,8 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Ensure tripwire package is installed."
 
-# NB : in CIS, AIDE has been chosen, however we chose tripwire
+# Note : in CIS, AIDE has been chosen, however we chose tripwire
+
 PACKAGE='tripwire'
 
 # This function will be called if the script status is on enabled / audit mode

bin/hardening/1.4.2_tripwire_cron.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 8.3.2 Implement Periodic Execution of File Integrity (Scored)
+# 1.4.2 Ensure filesysteme integrity is regularly checked (Scored)
 #
 
 set -e # One error, it's over
@@ -17,6 +17,8 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Implemet periodic execution of file integrity."
 
+# Note : in CIS, AIDE has been chosen, however we chose tripwire
+
 FILES="/etc/crontab"
 DIRECTORY="/etc/cron.d"
 PATTERN='tripwire --check'

bin/hardening/3.5.1.1_enable_firewall.sh

@@ -17,8 +17,9 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)."
 
-# Quick note here : CIS recommends your iptables rules to be persistent.
+# Note: CIS recommends your iptables rules to be persistent.
 # Do as you want, but this script does not handle this
+# At OVH, we use iptables
 
 PACKAGE='iptables'
 

bin/hardening/4.2.1.1_install_syslog-ng.sh

@@ -17,7 +17,7 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Install syslog-ng to manage logs"
 
-# NB : in CIS, rsyslog has been chosen, however we chose syslog-ng
+# Note: in CIS, rsyslog has been chosen, however we chose syslog-ng
 PACKAGE='syslog-ng'
 
 # This function will be called if the script status is on enabled / audit mode

bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh

@@ -12,13 +12,13 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
-# Note: this is not exacly the same check as the one described in CIS PDF
-
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Create and set permissions on syslog-ng logfiles."
 
+# Note: this is not exacly the same check as the one described in CIS PDF
+
 PERMISSIONS=''
 USER=''
 GROUP=''

bin/hardening/4.3_configure_logrotate.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 
+# run-shellcheck
 #
 # CIS Debian Hardening
 #

bin/hardening/5.3.4_acc_pam_sha512.sh

@@ -2,7 +2,7 @@
 
 # run-shellcheck
 #
-# OVH Security audit
+# CIS Debian Hardening
 #
 
 #
@@ -17,7 +17,6 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
 
-
 CONF_FILE="/etc/pam.d/common-password"
 CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
 

bin/hardening/6.1.8_etc_group-_permissions.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 6.1.2 Ensure permissions on /etc/group- are configured (Scored)
+# 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.1.9_etc_gshadow_permissions.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
+# 6.1.9 Ensure permissions on /etc/gshadow are configured (Scored)
 #
 
 set -e # One error, it's over