From 9451842e844df917dc2c5e4a17c28f3e134609b2 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Fri, 15 Apr 2016 14:24:45 +0200 Subject: [PATCH] 9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh --- bin/hardening/9.1.7_cron_d_perm_ownership.sh | 2 +- bin/hardening/9.2.1_enable_cracklib.sh | 70 ++++++++++++ .../9.2.2_enable_lockout_failed_password.sh | 70 ++++++++++++ bin/hardening/9.2.3_limit_password_reuse.sh | 70 ++++++++++++ bin/hardening/9.3.10_disable_sshd_setenv.sh | 87 +++++++++++++++ bin/hardening/9.3.11_sshd_ciphers.sh | 87 +++++++++++++++ bin/hardening/9.3.12_sshd_idle_timeout.sh | 90 +++++++++++++++ bin/hardening/9.3.13_sshd_limit_access.sh | 104 ++++++++++++++++++ bin/hardening/9.3.14_ssh_banner.sh | 88 +++++++++++++++ bin/hardening/9.3.1_sshd_protocol.sh | 87 +++++++++++++++ bin/hardening/9.3.2_sshd_loglevel.sh | 87 +++++++++++++++ .../9.3.3_sshd_conf_perm_ownership.sh | 85 ++++++++++++++ bin/hardening/9.3.4_disable_x11_forwarding.sh | 87 +++++++++++++++ bin/hardening/9.3.5_sshd_maxauthtries.sh | 87 +++++++++++++++ .../9.3.6_enable_sshd_ignorerhosts.sh | 87 +++++++++++++++ ....7_disable_sshd_hostbasedauthentication.sh | 87 +++++++++++++++ bin/hardening/9.3.8_disable_root_login.sh | 87 +++++++++++++++ ...9.3.9_disable_sshd_permitemptypasswords.sh | 87 +++++++++++++++ etc/conf.d/9.2.1_enable_cracklib.cfg | 2 + .../9.2.2_enable_lockout_failed_password.cfg | 2 + etc/conf.d/9.2.3_limit_password_reuse.cfg | 2 + etc/conf.d/9.3.10_disable_sshd_setenv.cfg | 2 + etc/conf.d/9.3.11_sshd_ciphers.cfg | 2 + etc/conf.d/9.3.12_sshd_idle_timeout.cfg | 5 + etc/conf.d/9.3.13_sshd_limit_access.cfg | 9 ++ etc/conf.d/9.3.14_ssh_banner.cfg | 4 + etc/conf.d/9.3.1_sshd_protocol.cfg | 2 + etc/conf.d/9.3.2_sshd_loglevel.cfg | 2 + etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg | 2 + etc/conf.d/9.3.4_disable_x11_forwarding.cfg | 2 + etc/conf.d/9.3.5_sshd_maxauthtries.cfg | 2 + etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg | 2 + ...7_disable_sshd_hostbasedauthentication.cfg | 2 + etc/conf.d/9.3.8_disable_root_login.cfg | 2 + ....3.9_disable_sshd_permitemptypasswords.cfg | 2 + lib/utils.sh | 4 +- 36 files changed, 1496 insertions(+), 3 deletions(-) create mode 100755 bin/hardening/9.2.1_enable_cracklib.sh create mode 100755 bin/hardening/9.2.2_enable_lockout_failed_password.sh create mode 100755 bin/hardening/9.2.3_limit_password_reuse.sh create mode 100755 bin/hardening/9.3.10_disable_sshd_setenv.sh create mode 100755 bin/hardening/9.3.11_sshd_ciphers.sh create mode 100755 bin/hardening/9.3.12_sshd_idle_timeout.sh create mode 100755 bin/hardening/9.3.13_sshd_limit_access.sh create mode 100755 bin/hardening/9.3.14_ssh_banner.sh create mode 100755 bin/hardening/9.3.1_sshd_protocol.sh create mode 100755 bin/hardening/9.3.2_sshd_loglevel.sh create mode 100755 bin/hardening/9.3.3_sshd_conf_perm_ownership.sh create mode 100755 bin/hardening/9.3.4_disable_x11_forwarding.sh create mode 100755 bin/hardening/9.3.5_sshd_maxauthtries.sh create mode 100755 bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh create mode 100755 bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh create mode 100755 bin/hardening/9.3.8_disable_root_login.sh create mode 100755 bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh create mode 100644 etc/conf.d/9.2.1_enable_cracklib.cfg create mode 100644 etc/conf.d/9.2.2_enable_lockout_failed_password.cfg create mode 100644 etc/conf.d/9.2.3_limit_password_reuse.cfg create mode 100644 etc/conf.d/9.3.10_disable_sshd_setenv.cfg create mode 100644 etc/conf.d/9.3.11_sshd_ciphers.cfg create mode 100644 etc/conf.d/9.3.12_sshd_idle_timeout.cfg create mode 100644 etc/conf.d/9.3.13_sshd_limit_access.cfg create mode 100644 etc/conf.d/9.3.14_ssh_banner.cfg create mode 100644 etc/conf.d/9.3.1_sshd_protocol.cfg create mode 100644 etc/conf.d/9.3.2_sshd_loglevel.cfg create mode 100644 etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg create mode 100644 etc/conf.d/9.3.4_disable_x11_forwarding.cfg create mode 100644 etc/conf.d/9.3.5_sshd_maxauthtries.cfg create mode 100644 etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg create mode 100644 etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg create mode 100644 etc/conf.d/9.3.8_disable_root_login.cfg create mode 100644 etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg diff --git a/bin/hardening/9.1.7_cron_d_perm_ownership.sh b/bin/hardening/9.1.7_cron_d_perm_ownership.sh index 4ce1da7..2d1399c 100755 --- a/bin/hardening/9.1.7_cron_d_perm_ownership.sh +++ b/bin/hardening/9.1.7_cron_d_perm_ownership.sh @@ -6,7 +6,7 @@ # # -# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored) +# 9.1.7 Set User/Group Owner and Permission on /etc/cron.d (Scored) # set -e # One error, it's over diff --git a/bin/hardening/9.2.1_enable_cracklib.sh b/bin/hardening/9.2.1_enable_cracklib.sh new file mode 100755 index 0000000..464305d --- /dev/null +++ b/bin/hardening/9.2.1_enable_cracklib.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='libpam-cracklib' +PATTERN='^password.*pam_cracklib.so' +FILE='/etc/pam.d/common-password' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details." + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.2.2_enable_lockout_failed_password.sh b/bin/hardening/9.2.2_enable_lockout_failed_password.sh new file mode 100755 index 0000000..6215780 --- /dev/null +++ b/bin/hardening/9.2.2_enable_lockout_failed_password.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.2.2 Set Lockout for Failed Password Attempts (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='libpam-modules-bin' +PATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?.so' +FILE='/etc/pam.d/login' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + add_line_file_before_pattern $FILE "auth required pam_tally.so onerr=fail deny=6 unlock_time=1800" "# Uncomment and edit \/etc\/security\/time.conf if you need to set" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.2.3_limit_password_reuse.sh b/bin/hardening/9.2.3_limit_password_reuse.sh new file mode 100755 index 0000000..b70ed54 --- /dev/null +++ b/bin/hardening/9.2.3_limit_password_reuse.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.2.3 Limit Password Reuse (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='libpam-modules' +PATTERN='^password.*remember' +FILE='/etc/pam.d/common-password' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE" + add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details." + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.10_disable_sshd_setenv.sh b/bin/hardening/9.3.10_disable_sshd_setenv.sh new file mode 100755 index 0000000..a4c072b --- /dev/null +++ b/bin/hardening/9.3.10_disable_sshd_setenv.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.10 Do Not Allow Users to Set Environment Options (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='PermitUserEnvironment=no' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.11_sshd_ciphers.sh b/bin/hardening/9.3.11_sshd_ciphers.sh new file mode 100755 index 0000000..21b5d24 --- /dev/null +++ b/bin/hardening/9.3.11_sshd_ciphers.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.11 Use Only Approved Cipher in Counter Mode (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='Ciphers=aes128-ctr,aes192-ctr,aes256-ctr' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.12_sshd_idle_timeout.sh b/bin/hardening/9.3.12_sshd_idle_timeout.sh new file mode 100755 index 0000000..e888c8b --- /dev/null +++ b/bin/hardening/9.3.12_sshd_idle_timeout.sh @@ -0,0 +1,90 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.12 Set Idle Timeout Interval for User Login (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + OPTIONS="ClientAliveInterval=$SSHD_TIMEOUT ClientAliveCountMax=0" + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + if [ -z $SSHD_TIMEOUT ]; then + crit "SSHD_TIMEOUT is not set, please edit configuration file" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.13_sshd_limit_access.sh b/bin/hardening/9.3.13_sshd_limit_access.sh new file mode 100755 index 0000000..6446cfa --- /dev/null +++ b/bin/hardening/9.3.13_sshd_limit_access.sh @@ -0,0 +1,104 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.13 Limit Access via SSH (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'" + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + if [ -z $ALLOWED_USERS ]; then + info "ALLOWED_USERS is not set, defaults to wildcard" + ALLOWED_USERS="*" + fi + if [ -z $ALLOWED_GROUPS ]; then + info "ALLOWED_GROUPS is not set, defaults to wildcard" + ALLOWED_GROUPS="*" + fi + if [ -z $DENIED_USERS ]; then + info "DENIED_USERS is not set, defaults to nobody" + DENIED_USERS="nobody" + fi + if [ -z $DENIED_GROUPS ]; then + info "DENIED_GROUPS is not set, defaults to nobody" + DENIED_GROUPS="nobody" + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.14_ssh_banner.sh b/bin/hardening/9.3.14_ssh_banner.sh new file mode 100755 index 0000000..8df24fa --- /dev/null +++ b/bin/hardening/9.3.14_ssh_banner.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.14 Set SSH Banner (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + OPTIONS="Banner=$BANNER_FILE" + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + PATTERN="^$SSH_PARAM[[:space:]]*" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present and activated" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + if [ -z $BANNER_FILE ]; then + info "BANNER_FILE is not set, defaults to wildcard" + BANNER_FILE='/etc/issue.net' + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.1_sshd_protocol.sh b/bin/hardening/9.3.1_sshd_protocol.sh new file mode 100755 index 0000000..167b167 --- /dev/null +++ b/bin/hardening/9.3.1_sshd_protocol.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.1 Set SSH Protocol to 2 (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='Protocol=2' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload > /dev/null 2>&1 + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.2_sshd_loglevel.sh b/bin/hardening/9.3.2_sshd_loglevel.sh new file mode 100755 index 0000000..8114340 --- /dev/null +++ b/bin/hardening/9.3.2_sshd_loglevel.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.2 Set LogLevel to INFO (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='LogLevel=INFO' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload > /dev/null 2>&1 + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh b/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh new file mode 100755 index 0000000..ca23cf7 --- /dev/null +++ b/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.3 Set Permissions on /etc/ssh/sshd_config (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/ssh/sshd_config' +PERMISSIONS='600' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.4_disable_x11_forwarding.sh b/bin/hardening/9.3.4_disable_x11_forwarding.sh new file mode 100755 index 0000000..5b3b2ae --- /dev/null +++ b/bin/hardening/9.3.4_disable_x11_forwarding.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.4 Disable SSH X11 Forwarding (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='X11Forwarding=no' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload > /dev/null 2>&1 + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.5_sshd_maxauthtries.sh b/bin/hardening/9.3.5_sshd_maxauthtries.sh new file mode 100755 index 0000000..79a6f40 --- /dev/null +++ b/bin/hardening/9.3.5_sshd_maxauthtries.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.5 Set SSH MaxAuthTries to 4 or Less (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='MaxAuthTries=4' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh b/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh new file mode 100755 index 0000000..bc550a6 --- /dev/null +++ b/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.6 Set SSH IgnoreRhosts to Yes (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='IgnoreRhosts=yes' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh b/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh new file mode 100755 index 0000000..faa23d4 --- /dev/null +++ b/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.7 Set SSH HostbasedAuthentication to No (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='HostbasedAuthentication=no' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.8_disable_root_login.sh b/bin/hardening/9.3.8_disable_root_login.sh new file mode 100755 index 0000000..96df935 --- /dev/null +++ b/bin/hardening/9.3.8_disable_root_login.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.8 Disable SSH Root Login (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='PermitRootLogin=no' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh b/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh new file mode 100755 index 0000000..383ca48 --- /dev/null +++ b/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.9 Set SSH PermitEmptyPasswords to No (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='PermitRootLogin=no' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/9.2.1_enable_cracklib.cfg b/etc/conf.d/9.2.1_enable_cracklib.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.2.1_enable_cracklib.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.2.2_enable_lockout_failed_password.cfg b/etc/conf.d/9.2.2_enable_lockout_failed_password.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.2.2_enable_lockout_failed_password.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.2.3_limit_password_reuse.cfg b/etc/conf.d/9.2.3_limit_password_reuse.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.2.3_limit_password_reuse.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.10_disable_sshd_setenv.cfg b/etc/conf.d/9.3.10_disable_sshd_setenv.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.10_disable_sshd_setenv.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.11_sshd_ciphers.cfg b/etc/conf.d/9.3.11_sshd_ciphers.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.11_sshd_ciphers.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.12_sshd_idle_timeout.cfg b/etc/conf.d/9.3.12_sshd_idle_timeout.cfg new file mode 100644 index 0000000..c17c30f --- /dev/null +++ b/etc/conf.d/9.3.12_sshd_idle_timeout.cfg @@ -0,0 +1,5 @@ +# Configuration for script of same name +status=enabled +# In seconds, value of ClientAliveInterval, ClientAliveCountMax bedoing set to 0 +# Settles sshd idle timeout +SSHD_TIMEOUT=900 diff --git a/etc/conf.d/9.3.13_sshd_limit_access.cfg b/etc/conf.d/9.3.13_sshd_limit_access.cfg new file mode 100644 index 0000000..3373d5c --- /dev/null +++ b/etc/conf.d/9.3.13_sshd_limit_access.cfg @@ -0,0 +1,9 @@ +# Configuration for script of same name +status=enabled + +# Put here ssh user hardening list, there is a default in script to not break your configuration +# However, it can erase current configuration +ALLOWED_USERS='' +ALLOWED_GROUPS='' +DENIED_USERS='' +DENIED_GROUPS='' diff --git a/etc/conf.d/9.3.14_ssh_banner.cfg b/etc/conf.d/9.3.14_ssh_banner.cfg new file mode 100644 index 0000000..500c8d6 --- /dev/null +++ b/etc/conf.d/9.3.14_ssh_banner.cfg @@ -0,0 +1,4 @@ +# Configuration for script of same name +status=enabled +# Put here banner file, default to /etc/issue.net +BANNER_FILE="" diff --git a/etc/conf.d/9.3.1_sshd_protocol.cfg b/etc/conf.d/9.3.1_sshd_protocol.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.1_sshd_protocol.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.2_sshd_loglevel.cfg b/etc/conf.d/9.3.2_sshd_loglevel.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.2_sshd_loglevel.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg b/etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.4_disable_x11_forwarding.cfg b/etc/conf.d/9.3.4_disable_x11_forwarding.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.4_disable_x11_forwarding.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.5_sshd_maxauthtries.cfg b/etc/conf.d/9.3.5_sshd_maxauthtries.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.5_sshd_maxauthtries.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg b/etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg b/etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.8_disable_root_login.cfg b/etc/conf.d/9.3.8_disable_root_login.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.8_disable_root_login.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg b/etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index 384a15f..f382475 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -114,8 +114,8 @@ add_end_of_file() { local LINE=$2 debug "Adding $LINE at the end of $FILE" - backup_file "$1" - echo "$2" >> $FILE + backup_file "$FILE" + echo "$LINE" >> $FILE } add_line_file_before_pattern() {