Add commentaries, renum scripts

2025-04-14 22:27:29 +02:00 · 2020-12-22 15:58:10 +01:00 · 2020-12-22 15:58:10 +01:00 · 87e242a42d
commit 87e242a42d
parent 7f990b5e53
57 changed files with 125 additions and 104 deletions
--- a/bin/hardening/1.1.1.1_disable_freevxfs.sh
+++ b/bin/hardening/1.1.1.1_disable_freevxfs.sh
@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of freevxfs filesystems."

+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_VXFS_FS"
 MODULE_NAME="freevxfs"

--- a/bin/hardening/1.1.1.2_disable_jffs2.sh
+++ b/bin/hardening/1.1.1.2_disable_jffs2.sh
@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of jffs2 filesystems."

+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_JFFS2_FS"
 MODULE_NAME="jffs2"

--- a/bin/hardening/1.1.1.3_disable_hfs.sh
+++ b/bin/hardening/1.1.1.3_disable_hfs.sh
@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfs filesystems."

+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_HFS_FS"
 MODULE_FILE="hfs"

--- a/bin/hardening/1.1.1.4_disable_hfsplus.sh
+++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh
@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of hfsplus filesystems."

+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_HFSPLUS_FS"
 MODULE_FILE="hfsplus"

--- a/bin/hardening/1.1.1.5_disable_squashfs.sh
+++ b/bin/hardening/1.1.1.5_disable_squashfs.sh
@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of squashfs filesytems."

+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_SQUASHFS"
 MODULE_FILE="squashfs"

--- a/bin/hardening/1.1.1.6_disable_udf.sh
+++ b/bin/hardening/1.1.1.6_disable_udf.sh
@ -17,6 +17,8 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable mounting of udf filesystems."

+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 KERNEL_OPTION="CONFIG_UDF_FS"
 MODULE_FILE="udf"

--- a/bin/hardening/1.1.1.7_restrict_fat.sh
+++ b/bin/hardening/1.1.1.7_restrict_fat.sh
@ -17,13 +17,15 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Limit mounting of FAT filesystems."

+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/1.1.12_var_log_audit_partition.sh
+++ b/bin/hardening/1.1.12_var_log_audit_partition.sh
@ -1,5 +1,6 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #
--- a/bin/hardening/1.1.23_disable_usb_storage.sh
+++ b/bin/hardening/1.1.23_disable_usb_storage.sh
@ -17,13 +17,15 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Disable USB storage."

+# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
+
 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/1.4.1_install_tripwire.sh
+++ b/bin/hardening/1.4.1_install_tripwire.sh
@ -6,7 +6,7 @@
 #

 #
-# 8.3.1 Install tripwire package (Scored)
+# 1.4.1 Ensure tripwire is installed (Scored)
 #

 set -e # One error, it's over
@ -17,7 +17,8 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Ensure tripwire package is installed."

-# NB : in CIS, AIDE has been chosen, however we chose tripwire
+# Note : in CIS, AIDE has been chosen, however we chose tripwire
+
 PACKAGE='tripwire'

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/1.4.2_tripwire_cron.sh
+++ b/bin/hardening/1.4.2_tripwire_cron.sh
@ -6,7 +6,7 @@
 #

 #
-# 8.3.2 Implement Periodic Execution of File Integrity (Scored)
+# 1.4.2 Ensure filesysteme integrity is regularly checked (Scored)
 #

 set -e # One error, it's over
@ -17,6 +17,8 @@ HARDENING_LEVEL=4
 # shellcheck disable=2034
 DESCRIPTION="Implemet periodic execution of file integrity."

+# Note : in CIS, AIDE has been chosen, however we chose tripwire
+
 FILES="/etc/crontab"
 DIRECTORY="/etc/cron.d"
 PATTERN='tripwire --check'
--- a/bin/hardening/1.7.1.1_install_apparmor.sh
+++ b/bin/hardening/1.7.1.1_install_apparmor.sh
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
 DESCRIPTION="Install AppArmor."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
+++ b/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
 DESCRIPTION="Enforce or complain AppArmor profiles."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/1.7.1.4_enforcing_apparmor.sh
+++ b/bin/hardening/1.7.1.4_enforcing_apparmor.sh
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
 DESCRIPTION="Enforce Apparmor profiles."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
+++ b/bin/hardening/2.2.1.2_configure_systemd-timesyncd.sh
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure systemd-timesyncd."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/3.5.1.1_enable_firewall.sh
+++ b/bin/hardening/3.5.1.1_enable_firewall.sh
@ -17,8 +17,9 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Ensure firewall is active (iptables is installed, does not check for its configuration)."

-# Quick note here : CIS recommends your iptables rules to be persistent.
+# Note: CIS recommends your iptables rules to be persistent.
 # Do as you want, but this script does not handle this
+# At OVH, we use iptables

 PACKAGE='iptables'

--- a/bin/hardening/4.1.1.1_install_auditd.sh
+++ b/bin/hardening/4.1.1.1_install_auditd.sh
@ -18,12 +18,12 @@ HARDENING_LEVEL=4
 DESCRIPTION="Install auditd."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/4.1.1.4_audit_backlog_limit.sh
+++ b/bin/hardening/4.1.1.4_audit_backlog_limit.sh
@ -18,12 +18,12 @@ HARDENING_LEVEL=4
 DESCRIPTION="Configure audit_backlog_limit to be sufficient."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/4.2.1.1_install_syslog-ng.sh
+++ b/bin/hardening/4.2.1.1_install_syslog-ng.sh
@ -17,7 +17,7 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Install syslog-ng to manage logs"

-# NB : in CIS, rsyslog has been chosen, however we chose syslog-ng
+# Note: in CIS, rsyslog has been chosen, however we chose syslog-ng
 PACKAGE='syslog-ng'

 # This function will be called if the script status is on enabled / audit mode
--- a/bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh
+++ b/bin/hardening/4.2.1.4_syslog_ng_logfiles_perm.sh
@ -12,13 +12,13 @@
 set -e # One error, it's over
 set -u # One variable unset, it's over

-# Note: this is not exacly the same check as the one described in CIS PDF
-
 # shellcheck disable=2034
 HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Create and set permissions on syslog-ng logfiles."

+# Note: this is not exacly the same check as the one described in CIS PDF
+
 PERMISSIONS=''
 USER=''
 GROUP=''
--- a/bin/hardening/4.2.2.1_journald_logs.sh
+++ b/bin/hardening/4.2.2.1_journald_logs.sh
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure journald to send logs to syslog-ng."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/4.2.2.2_journald_compress.sh
+++ b/bin/hardening/4.2.2.2_journald_compress.sh
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure journald to send logs to syslog-ng."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }
 rsyslog
 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/4.2.2.3_journald_write_persistent.sh
+++ b/bin/hardening/4.2.2.3_journald_write_persistent.sh
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure journald to write to a persistent location."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/4.3_configure_logrotate.sh
+++ b/bin/hardening/4.3_configure_logrotate.sh
@ -1,5 +1,6 @@
 #!/bin/bash

+# run-shellcheck
 #
 # CIS Debian Hardening
 #
--- a/bin/hardening/4.4_logrotate_permissions.sh
+++ b/bin/hardening/4.4_logrotate_permissions.sh
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure logrotate to assign appropriate permissions."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/5.2.20_enable_ssh_pam.sh
+++ b/bin/hardening/5.2.20_enable_ssh_pam.sh
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
 DESCRIPTION="Enable SSH PAM."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
+++ b/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
 DESCRIPTION="Disable SSH AllowTCPForwarding."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/5.2.22_configure_ssh_max_startups.sh
+++ b/bin/hardening/5.2.22_configure_ssh_max_startups.sh
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure SSHMaxStartups."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/5.2.23_limit_ssh_max_sessions.sh
+++ b/bin/hardening/5.2.23_limit_ssh_max_sessions.sh
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
 DESCRIPTION="Limit SSH MaxSessions."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/5.3.4_acc_pam_sha512.sh
+++ b/bin/hardening/5.3.4_acc_pam_sha512.sh
@ -2,7 +2,7 @@

 # run-shellcheck
 #
-# OVH Security audit
+# CIS Debian Hardening
 #

 #
@ -17,7 +17,6 @@ HARDENING_LEVEL=2
 # shellcheck disable=2034
 DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted"

-
 CONF_FILE="/etc/pam.d/common-password"
 CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"

--- a/bin/hardening/5.4.1.5_last_password_change_past.sh
+++ b/bin/hardening/5.4.1.5_last_password_change_past.sh
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
 DESCRIPTION="Check that user last paswword change date is in the past."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/5.4.5_default_timeout.sh
+++ b/bin/hardening/5.4.5_default_timeout.sh
@ -18,12 +18,12 @@ HARDENING_LEVEL=3
 DESCRIPTION="Configure the default user shell timeout."

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/bin/hardening/6.1.8_etc_group-_permissions.sh
+++ b/bin/hardening/6.1.8_etc_group-_permissions.sh
@ -6,7 +6,7 @@
 #

 #
-# 6.1.2 Ensure permissions on /etc/group- are configured (Scored)
+# 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
 #

 set -e # One error, it's over
--- a/bin/hardening/6.1.9_etc_gshadow_permissions.sh
+++ b/bin/hardening/6.1.9_etc_gshadow_permissions.sh
@ -6,7 +6,7 @@
 #

 #
-# 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
+# 6.1.9 Ensure permissions on /etc/gshadow are configured (Scored)
 #

 set -e # One error, it's over
--- a/bin/hardening/99.4.0_enable_auditd_kernel.sh
+++ b/bin/hardening/99.4.0_enable_auditd_kernel.sh
--- a/src/skel
+++ b/src/skel
@ -13,12 +13,12 @@ set -e # One error, it's over
 set -u # One variable unset, it's over

 # This function will be called if the script status is on enabled / audit mode
-audit () {
+audit() {
    :
 }

 # This function will be called if the script status is on enabled mode
-apply () {
+apply() {
    :
 }

--- a/tests/hardening/1.4.1_install_tripwire.sh
+++ b/tests/hardening/1.4.1_install_tripwire.sh
--- a/tests/hardening/1.4.2_tripwire_cron.sh
+++ b/tests/hardening/1.4.2_tripwire_cron.sh
--- a/tests/hardening/99.4.0_enable_auditd_kernel.sh
+++ b/tests/hardening/99.4.0_enable_auditd_kernel.sh