Add commentaries, renum scripts

This commit is contained in:
Thibault Ayanides 2020-12-22 15:58:10 +01:00
parent 7f990b5e53
commit 87e242a42d
57 changed files with 125 additions and 104 deletions

View File

@ -17,6 +17,8 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of freevxfs filesystems." DESCRIPTION="Disable mounting of freevxfs filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_VXFS_FS" KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs" MODULE_NAME="freevxfs"

View File

@ -17,6 +17,8 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of jffs2 filesystems." DESCRIPTION="Disable mounting of jffs2 filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_JFFS2_FS" KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2" MODULE_NAME="jffs2"

View File

@ -17,6 +17,8 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of hfs filesystems." DESCRIPTION="Disable mounting of hfs filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_HFS_FS" KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_FILE="hfs" MODULE_FILE="hfs"

View File

@ -17,6 +17,8 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of hfsplus filesystems." DESCRIPTION="Disable mounting of hfsplus filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_HFSPLUS_FS" KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_FILE="hfsplus" MODULE_FILE="hfsplus"

View File

@ -17,6 +17,8 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of squashfs filesytems." DESCRIPTION="Disable mounting of squashfs filesytems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_SQUASHFS" KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_FILE="squashfs" MODULE_FILE="squashfs"

View File

@ -17,6 +17,8 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable mounting of udf filesystems." DESCRIPTION="Disable mounting of udf filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_UDF_FS" KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_FILE="udf" MODULE_FILE="udf"

View File

@ -17,13 +17,15 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Limit mounting of FAT filesystems." DESCRIPTION="Limit mounting of FAT filesystems."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +40,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #

View File

@ -17,13 +17,15 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Disable USB storage." DESCRIPTION="Disable USB storage."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +40,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -6,7 +6,7 @@
# #
# #
# 8.3.1 Install tripwire package (Scored) # 1.4.1 Ensure tripwire is installed (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
@ -17,7 +17,8 @@ HARDENING_LEVEL=4
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Ensure tripwire package is installed." DESCRIPTION="Ensure tripwire package is installed."
# NB : in CIS, AIDE has been chosen, however we chose tripwire # Note : in CIS, AIDE has been chosen, however we chose tripwire
PACKAGE='tripwire' PACKAGE='tripwire'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode

View File

@ -6,7 +6,7 @@
# #
# #
# 8.3.2 Implement Periodic Execution of File Integrity (Scored) # 1.4.2 Ensure filesysteme integrity is regularly checked (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
@ -17,6 +17,8 @@ HARDENING_LEVEL=4
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Implemet periodic execution of file integrity." DESCRIPTION="Implemet periodic execution of file integrity."
# Note : in CIS, AIDE has been chosen, however we chose tripwire
FILES="/etc/crontab" FILES="/etc/crontab"
DIRECTORY="/etc/cron.d" DIRECTORY="/etc/cron.d"
PATTERN='tripwire --check' PATTERN='tripwire --check'

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Install AppArmor." DESCRIPTION="Install AppArmor."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Enforce or complain AppArmor profiles." DESCRIPTION="Enforce or complain AppArmor profiles."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Enforce Apparmor profiles." DESCRIPTION="Enforce Apparmor profiles."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Configure systemd-timesyncd." DESCRIPTION="Configure systemd-timesyncd."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -24,7 +24,7 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
: :
} }
# This function will check config parameters required # This function will check config parameters required

View File

@ -17,8 +17,9 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)." DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)."
# Quick note here : CIS recommends your iptables rules to be persistent. # Note: CIS recommends your iptables rules to be persistent.
# Do as you want, but this script does not handle this # Do as you want, but this script does not handle this
# At OVH, we use iptables
PACKAGE='iptables' PACKAGE='iptables'

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=4
DESCRIPTION="Install auditd." DESCRIPTION="Install auditd."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=4
DESCRIPTION="Configure audit_backlog_limit to be sufficient." DESCRIPTION="Configure audit_backlog_limit to be sufficient."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -17,7 +17,7 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Install syslog-ng to manage logs" DESCRIPTION="Install syslog-ng to manage logs"
# NB : in CIS, rsyslog has been chosen, however we chose syslog-ng # Note: in CIS, rsyslog has been chosen, however we chose syslog-ng
PACKAGE='syslog-ng' PACKAGE='syslog-ng'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode

View File

@ -12,13 +12,13 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# Note: this is not exacly the same check as the one described in CIS PDF
# shellcheck disable=2034 # shellcheck disable=2034
HARDENING_LEVEL=3 HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Create and set permissions on syslog-ng logfiles." DESCRIPTION="Create and set permissions on syslog-ng logfiles."
# Note: this is not exacly the same check as the one described in CIS PDF
PERMISSIONS='' PERMISSIONS=''
USER='' USER=''
GROUP='' GROUP=''

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Configure journald to send logs to syslog-ng." DESCRIPTION="Configure journald to send logs to syslog-ng."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Configure journald to send logs to syslog-ng." DESCRIPTION="Configure journald to send logs to syslog-ng."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
rsyslog rsyslog
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Configure journald to write to a persistent location." DESCRIPTION="Configure journald to write to a persistent location."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Configure logrotate to assign appropriate permissions." DESCRIPTION="Configure logrotate to assign appropriate permissions."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Enable SSH PAM." DESCRIPTION="Enable SSH PAM."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Disable SSH AllowTCPForwarding." DESCRIPTION="Disable SSH AllowTCPForwarding."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Configure SSHMaxStartups." DESCRIPTION="Configure SSHMaxStartups."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Limit SSH MaxSessions." DESCRIPTION="Limit SSH MaxSessions."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -2,7 +2,7 @@
# run-shellcheck # run-shellcheck
# #
# OVH Security audit # CIS Debian Hardening
# #
# #
@ -17,7 +17,6 @@ HARDENING_LEVEL=2
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted" DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
CONF_FILE="/etc/pam.d/common-password" CONF_FILE="/etc/pam.d/common-password"
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512" CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Check that user last paswword change date is in the past." DESCRIPTION="Check that user last paswword change date is in the past."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -18,12 +18,12 @@ HARDENING_LEVEL=3
DESCRIPTION="Configure the default user shell timeout." DESCRIPTION="Configure the default user shell timeout."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }
@ -38,8 +38,8 @@ if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening . /etc/default/cis-hardening
fi fi
if [ -z "$CIS_ROOT_DIR" ]; then if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting." echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128 exit 128
fi fi

View File

@ -6,7 +6,7 @@
# #
# #
# 6.1.2 Ensure permissions on /etc/group- are configured (Scored) # 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
# #
set -e # One error, it's over set -e # One error, it's over

View File

@ -6,7 +6,7 @@
# #
# #
# 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) # 6.1.9 Ensure permissions on /etc/gshadow are configured (Scored)
# #
set -e # One error, it's over set -e # One error, it's over

View File

@ -13,12 +13,12 @@ set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit() {
: :
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply() {
: :
} }