From 9007ffdad166a7a0fb862d536949cda72e4020ff Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 14 Apr 2016 23:26:37 +0200 Subject: [PATCH] 9.1.1_enable_cron.sh 9.1.2_crontab_perm_ownership.sh --- bin/hardening/9.1.1_enable_cron.sh | 70 +++++++++++++++ bin/hardening/9.1.2_crontab_perm_ownership.sh | 85 +++++++++++++++++++ etc/conf.d/9.1.1_enable_cron.cfg | 2 + etc/conf.d/9.1.2_crontab_perm_ownership.cfg | 2 + 4 files changed, 159 insertions(+) create mode 100755 bin/hardening/9.1.1_enable_cron.sh create mode 100755 bin/hardening/9.1.2_crontab_perm_ownership.sh create mode 100644 etc/conf.d/9.1.1_enable_cron.cfg create mode 100644 etc/conf.d/9.1.2_crontab_perm_ownership.cfg diff --git a/bin/hardening/9.1.1_enable_cron.sh b/bin/hardening/9.1.1_enable_cron.sh new file mode 100755 index 0000000..33eb86d --- /dev/null +++ b/bin/hardening/9.1.1_enable_cron.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.1.1 Enable cron Daemon (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE="cron" +SERVICE_NAME="cron" + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + is_service_enabled $SERVICE_NAME + if [ $FNRET = 0 ]; then + ok "$SERVICE_NAME is enabled" + else + crit "$SERVICE_NAME is disabled" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + is_service_enabled $SERVICE_NAME + if [ $FNRET != 0 ]; then + info "Enabling $SERVICE_NAME" + update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 + update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1 + else + ok "$SERVICE_NAME is enabled" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.2_crontab_perm_ownership.sh b/bin/hardening/9.1.2_crontab_perm_ownership.sh new file mode 100755 index 0000000..e378b56 --- /dev/null +++ b/bin/hardening/9.1.2_crontab_perm_ownership.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/crontab' +PERMISSIONS='600' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/9.1.1_enable_cron.cfg b/etc/conf.d/9.1.1_enable_cron.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.1.1_enable_cron.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.1.2_crontab_perm_ownership.cfg b/etc/conf.d/9.1.2_crontab_perm_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.1.2_crontab_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled