9.1.1_enable_cron.sh 9.1.2_crontab_perm_ownership.sh

2024-11-22 21:47:02 +01:00 · 2016-04-14 23:26:37 +02:00 · 2016-04-14 23:26:37 +02:00 · 9007ffdad1
commit 9007ffdad1
parent 6c9b2bbdd3
4 changed files with 159 additions and 0 deletions
--- a/bin/hardening/9.1.1_enable_cron.sh
+++ b/bin/hardening/9.1.1_enable_cron.sh
@ -0,0 +1,70 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 9.1.1 Enable cron Daemon (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+PACKAGE="cron"
+SERVICE_NAME="cron"
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    is_pkg_installed $PACKAGE
+    if [ $FNRET != 0 ]; then
+        crit "$PACKAGE is not installed !"
+    else
+        ok "$PACKAGE is installed"
+        is_service_enabled $SERVICE_NAME
+        if [ $FNRET = 0 ]; then
+            ok "$SERVICE_NAME is enabled"
+        else
+            crit "$SERVICE_NAME is disabled"
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    is_pkg_installed $PACKAGE
+    if [ $FNRET = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install $PACKAGE
+        is_service_enabled $SERVICE_NAME
+        if [ $FNRET != 0 ]; then
+            info "Enabling $SERVICE_NAME"
+            update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
+            update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1
+        else
+            ok "$SERVICE_NAME is enabled"
+        fi
+    fi 
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
--- a/bin/hardening/9.1.2_crontab_perm_ownership.sh
+++ b/bin/hardening/9.1.2_crontab_perm_ownership.sh
@ -0,0 +1,85 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+FILE='/etc/crontab'
+PERMISSIONS='600'
+USER='root'
+GROUP='root'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        crit "$FILE is not $USER:$GROUP ownership set"
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        crit "$FILE has not $PERMISSIONS permissions set"
+    fi 
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    does_file_exist $FILE
+    if [ $FNRET != 0 ]; then
+        info "$FILE does not exist"
+        touch $FILE
+    fi
+    has_file_correct_ownership $FILE $USER $GROUP
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct ownership"
+    else
+        warn "$FILE is not $USER:$GROUP ownership set"
+        chown $USER:$GROUP $FILE
+    fi
+    has_file_correct_permissions $FILE $PERMISSIONS
+    if [ $FNRET = 0 ]; then
+        ok "$FILE has correct permissions"
+    else
+        info "fixing $FILE permissions to $PERMISSIONS"
+        chmod 0$PERMISSIONS $FILE
+    fi
+}
+
+# This function will check config parameters required
+check_config() {
+    does_user_exist $USER
+    if [ $FNRET != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ $FNRET != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
--- a/etc/conf.d/9.1.1_enable_cron.cfg
+++ b/etc/conf.d/9.1.1_enable_cron.cfg
@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled
--- a/etc/conf.d/9.1.2_crontab_perm_ownership.cfg
+++ b/etc/conf.d/9.1.2_crontab_perm_ownership.cfg
@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled