mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-24 06:21:24 +01:00
Add commentaries, renum scripts
This commit is contained in:
parent
7f990b5e53
commit
87e242a42d
@ -17,6 +17,8 @@ HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable mounting of freevxfs filesystems."
|
||||
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
KERNEL_OPTION="CONFIG_VXFS_FS"
|
||||
MODULE_NAME="freevxfs"
|
||||
|
||||
|
@ -17,6 +17,8 @@ HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable mounting of jffs2 filesystems."
|
||||
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
KERNEL_OPTION="CONFIG_JFFS2_FS"
|
||||
MODULE_NAME="jffs2"
|
||||
|
||||
|
@ -17,6 +17,8 @@ HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable mounting of hfs filesystems."
|
||||
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
KERNEL_OPTION="CONFIG_HFS_FS"
|
||||
MODULE_FILE="hfs"
|
||||
|
||||
|
@ -17,6 +17,8 @@ HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable mounting of hfsplus filesystems."
|
||||
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
|
||||
MODULE_FILE="hfsplus"
|
||||
|
||||
|
@ -17,6 +17,8 @@ HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable mounting of squashfs filesytems."
|
||||
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
KERNEL_OPTION="CONFIG_SQUASHFS"
|
||||
MODULE_FILE="squashfs"
|
||||
|
||||
|
@ -17,6 +17,8 @@ HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable mounting of udf filesystems."
|
||||
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
KERNEL_OPTION="CONFIG_UDF_FS"
|
||||
MODULE_FILE="udf"
|
||||
|
||||
|
@ -17,13 +17,15 @@ HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Limit mounting of FAT filesystems."
|
||||
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -1,5 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
@ -17,13 +17,15 @@ HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Disable USB storage."
|
||||
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -6,7 +6,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 8.3.1 Install tripwire package (Scored)
|
||||
# 1.4.1 Ensure tripwire is installed (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -17,7 +17,8 @@ HARDENING_LEVEL=4
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure tripwire package is installed."
|
||||
|
||||
# NB : in CIS, AIDE has been chosen, however we chose tripwire
|
||||
# Note : in CIS, AIDE has been chosen, however we chose tripwire
|
||||
|
||||
PACKAGE='tripwire'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
@ -6,7 +6,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 8.3.2 Implement Periodic Execution of File Integrity (Scored)
|
||||
# 1.4.2 Ensure filesysteme integrity is regularly checked (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -17,6 +17,8 @@ HARDENING_LEVEL=4
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Implemet periodic execution of file integrity."
|
||||
|
||||
# Note : in CIS, AIDE has been chosen, however we chose tripwire
|
||||
|
||||
FILES="/etc/crontab"
|
||||
DIRECTORY="/etc/cron.d"
|
||||
PATTERN='tripwire --check'
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Install AppArmor."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Enforce or complain AppArmor profiles."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Enforce Apparmor profiles."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Configure systemd-timesyncd."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -17,8 +17,9 @@ HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)."
|
||||
|
||||
# Quick note here : CIS recommends your iptables rules to be persistent.
|
||||
# Note: CIS recommends your iptables rules to be persistent.
|
||||
# Do as you want, but this script does not handle this
|
||||
# At OVH, we use iptables
|
||||
|
||||
PACKAGE='iptables'
|
||||
|
||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=4
|
||||
DESCRIPTION="Install auditd."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=4
|
||||
DESCRIPTION="Configure audit_backlog_limit to be sufficient."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -17,7 +17,7 @@ HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Install syslog-ng to manage logs"
|
||||
|
||||
# NB : in CIS, rsyslog has been chosen, however we chose syslog-ng
|
||||
# Note: in CIS, rsyslog has been chosen, however we chose syslog-ng
|
||||
PACKAGE='syslog-ng'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
@ -12,13 +12,13 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Note: this is not exacly the same check as the one described in CIS PDF
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Create and set permissions on syslog-ng logfiles."
|
||||
|
||||
# Note: this is not exacly the same check as the one described in CIS PDF
|
||||
|
||||
PERMISSIONS=''
|
||||
USER=''
|
||||
GROUP=''
|
||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Configure journald to send logs to syslog-ng."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Configure journald to send logs to syslog-ng."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
rsyslog
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Configure journald to write to a persistent location."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -1,5 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Configure logrotate to assign appropriate permissions."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Enable SSH PAM."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Disable SSH AllowTCPForwarding."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Configure SSHMaxStartups."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Limit SSH MaxSessions."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# OVH Security audit
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
|
||||
#
|
||||
@ -17,7 +17,6 @@ HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"
|
||||
|
||||
|
||||
CONF_FILE="/etc/pam.d/common-password"
|
||||
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
|
||||
|
||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Check that user last paswword change date is in the past."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Configure the default user shell timeout."
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
@ -6,7 +6,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 6.1.2 Ensure permissions on /etc/group- are configured (Scored)
|
||||
# 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
|
@ -6,7 +6,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
|
||||
# 6.1.9 Ensure permissions on /etc/gshadow are configured (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
|
4
src/skel
4
src/skel
@ -13,12 +13,12 @@ set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
audit() {
|
||||
:
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
apply() {
|
||||
:
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user