From 88e3a515ef6c70749ce729ba0907625f052b196f Mon Sep 17 00:00:00 2001
From: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
Date: Mon, 5 Oct 2020 17:26:13 +0200
Subject: [PATCH] 5.2.17_sshd_login_grace_time

---
 bin/hardening/1.3.1_install_aide.sh           |  62 ----------
 bin/hardening/4.2.3_install_syslog-ng.sh      |   2 +-
 bin/hardening/4.2.4_logs_permissions.sh       |   2 +-
 bin/hardening/5.2.17_sshd_login_grace_time.sh | 106 ++++++++++++++++++
 ...2_ssh_host_private_keys_perm_ownership.sh} |   0
 ....3_ssh_host_public_keys_perm_ownership.sh} |   0
 debian/changelog                              |  11 ++
 ...ide.sh => 5.2.17_sshd_login_grace_time.sh} |   0
 ...2_ssh_host_private_keys_perm_ownership.sh} |   0
 ....3_ssh_host_public_keys_perm_ownership.sh} |   0
 10 files changed, 119 insertions(+), 64 deletions(-)
 delete mode 100755 bin/hardening/1.3.1_install_aide.sh
 create mode 100755 bin/hardening/5.2.17_sshd_login_grace_time.sh
 rename bin/hardening/{5.2.2_ssh_private_keys_perm_ownership.sh => 5.2.2_ssh_host_private_keys_perm_ownership.sh} (100%)
 rename bin/hardening/{5.2.3_ssh_public_keys_perm_ownership.sh => 5.2.3_ssh_host_public_keys_perm_ownership.sh} (100%)
 rename tests/hardening/{1.3.1_install_aide.sh => 5.2.17_sshd_login_grace_time.sh} (100%)
 rename tests/hardening/{5.2.2_ssh_private_keys_perm_ownership.sh => 5.2.2_ssh_host_private_keys_perm_ownership.sh} (100%)
 rename tests/hardening/{5.2.3_ssh_public_keys_perm_ownership.sh => 5.2.3_ssh_host_public_keys_perm_ownership.sh} (100%)

diff --git a/bin/hardening/1.3.1_install_aide.sh b/bin/hardening/1.3.1_install_aide.sh
deleted file mode 100755
index 36cffe4..0000000
--- a/bin/hardening/1.3.1_install_aide.sh
+++ /dev/null
@@ -1,62 +0,0 @@
-#!/bin/bash
-
-#
-# CIS Debian Hardening
-#
-
-#
-# 1.3.1 Ensure AIDE is installed (Scored)
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-HARDENING_LEVEL=3
-DESCRIPTION="Install AIDE which takes a snapshot of filesystem state (can help toi detect modification on the system)."
-
-PACKAGE='aide'
-
-# This function will be called if the script status is on enabled / audit mode
-audit () {
-    is_pkg_installed $PACKAGE
-    if [ $FNRET != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply () {
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
-            ok "$PACKAGE is installed"
-        else
-            crit "$PACKAGE is absent, installing it"
-            apt_install $PACKAGE
-        fi
-        aideinit
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-     echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi
\ No newline at end of file
diff --git a/bin/hardening/4.2.3_install_syslog-ng.sh b/bin/hardening/4.2.3_install_syslog-ng.sh
index bdf6466..66b80fe 100755
--- a/bin/hardening/4.2.3_install_syslog-ng.sh
+++ b/bin/hardening/4.2.3_install_syslog-ng.sh
@@ -5,7 +5,7 @@
 #
 
 #
-# 4.2.3 Ensure Syslo-ng is installed (Scored)
+# 4.2.3 Ensure Syslog-ng is installed (Scored)
 #
 
 set -e # One error, it's over
diff --git a/bin/hardening/4.2.4_logs_permissions.sh b/bin/hardening/4.2.4_logs_permissions.sh
index 1b9a7c8..3b5abc1 100755
--- a/bin/hardening/4.2.4_logs_permissions.sh
+++ b/bin/hardening/4.2.4_logs_permissions.sh
@@ -12,7 +12,7 @@ set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
-DESCRIPTION="Check permissions on logs (other has no permissions on any files andgroup does not have write or execute permissions on any file)"
+DESCRIPTION="Check permissions on logs (other has no permissions on any files and group does not have write or execute permissions on any file)"
 
 DIR='/var/log'
 PERMISSIONS='640'
diff --git a/bin/hardening/5.2.17_sshd_login_grace_time.sh b/bin/hardening/5.2.17_sshd_login_grace_time.sh
new file mode 100755
index 0000000..6bb4011
--- /dev/null
+++ b/bin/hardening/5.2.17_sshd_login_grace_time.sh
@@ -0,0 +1,106 @@
+#!/bin/bash
+
+#
+# CIS Debian Hardening
+#
+
+#
+# 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+DESCRIPTION="Set Login Grace Time for user login."
+
+PACKAGE='openssh-server'
+FILE='/etc/ssh/sshd_config'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    OPTIONS="LoginGraceTime=$SSHD_LOGIN_GRACE_TIME"
+    is_pkg_installed $PACKAGE
+    if [ $FNRET != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+        for SSH_OPTION in $OPTIONS; do
+            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            does_pattern_exist_in_file $FILE "$PATTERN"
+            if [ $FNRET = 0 ]; then
+                ok "$PATTERN is present in $FILE"
+            else
+                crit "$PATTERN is not present in $FILE"
+            fi
+        done
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    is_pkg_installed $PACKAGE
+    if [ $FNRET = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install $PACKAGE
+    fi
+    for SSH_OPTION in $OPTIONS; do
+            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            does_pattern_exist_in_file $FILE "$PATTERN"
+            if [ $FNRET = 0 ]; then
+                ok "$PATTERN is present in $FILE"
+            else
+                warn "$PATTERN is not present in $FILE, adding it"
+                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+                if [ $FNRET != 0 ]; then
+                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+                else
+                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+                fi
+                /etc/init.d/ssh reload
+            fi
+    done
+}
+
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# In seconds, value of LoginGraceTime
+# Settles sshd login grace time
+SSHD_LOGIN_GRACE_TIME=60
+EOF
+}
+
+# This function will check config parameters required
+check_config() {
+    if [ -z $SSHD_LOGIN_GRACE_TIME ]; then
+        crit "SSHD_LOGIN_GRACE_TIME is not set, please edit configuration file"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
diff --git a/bin/hardening/5.2.2_ssh_private_keys_perm_ownership.sh b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh
similarity index 100%
rename from bin/hardening/5.2.2_ssh_private_keys_perm_ownership.sh
rename to bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh
diff --git a/bin/hardening/5.2.3_ssh_public_keys_perm_ownership.sh b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
similarity index 100%
rename from bin/hardening/5.2.3_ssh_public_keys_perm_ownership.sh
rename to bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
diff --git a/debian/changelog b/debian/changelog
index ce4ba0f..9fb7f90 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+cis-hardening (1.3-4) unstable; urgency=medium
+
+  * ADD(1.3.1): Install Ossec
+  * ADD(4.2.3): Syslog-ng install
+  * ADD(4.2.4): Logs permissions
+  * ADD(5.2.2, 5.2.3): SSH host keys permissions and ownership
+  * ADD(5.2.17): SSHD login grace time
+
+
+ -- Thibault AYANIDES <tayanide@ovhcloud.com>  Mon, 19 Oct 2020 16:31:48 +0200
+
 cis-hardening (1.3-3) unstable; urgency=medium
 
   * changelog: update changelog
diff --git a/tests/hardening/1.3.1_install_aide.sh b/tests/hardening/5.2.17_sshd_login_grace_time.sh
similarity index 100%
rename from tests/hardening/1.3.1_install_aide.sh
rename to tests/hardening/5.2.17_sshd_login_grace_time.sh
diff --git a/tests/hardening/5.2.2_ssh_private_keys_perm_ownership.sh b/tests/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh
similarity index 100%
rename from tests/hardening/5.2.2_ssh_private_keys_perm_ownership.sh
rename to tests/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh
diff --git a/tests/hardening/5.2.3_ssh_public_keys_perm_ownership.sh b/tests/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
similarity index 100%
rename from tests/hardening/5.2.3_ssh_public_keys_perm_ownership.sh
rename to tests/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh