8.0_enable_auditd_kernel.sh 8.1.1.2_halt_when_audit_log_full.sh 8.1.2_enable_auditd.sh

This commit is contained in:
thibault.dewailly 2016-04-14 10:40:31 +02:00
parent 1f873a14f6
commit 9c229574d1
11 changed files with 173 additions and 9 deletions

View File

@ -31,7 +31,7 @@ apply () {
is_service_enabled $SERVICE_NAME is_service_enabled $SERVICE_NAME
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
info "Disabling $SERVICE_NAME" info "Disabling $SERVICE_NAME"
update-rc.d $SERVICE_NAME disable update-rc.d $SERVICE_NAME disable > /dev/null 2>&1
else else
ok "$SERVICE_NAME is disabled" ok "$SERVICE_NAME is disabled"
fi fi

View File

@ -6,7 +6,7 @@
# #
# #
# 7.5.2 Disable SCTP (Not Scored) # 7.5.3 Disable RDS (Not Scored)
# #
set -e # One error, it's over set -e # One error, it's over

View File

@ -6,7 +6,7 @@
# #
# #
# 7.5.2 Disable SCTP (Not Scored) # 7.5.4 Disable TIPC (Not Scored)
# #
set -e # One error, it's over set -e # One error, it's over

View File

@ -6,7 +6,7 @@
# #
# #
# 7.4.1 Install TCP Wrappers (Scored) # 7.7 Ensure Firewall is active (Scored)
# #
set -e # One error, it's over set -e # One error, it's over

View File

@ -0,0 +1,59 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
#
#
# 8.0 Ensure CONFIG_AUDIT is enabled in your running kernel
#
set -e # One error, it's over
set -u # One variable unset, it's over
# Note : Not part of the CIS guide, but what's the point configuring a software not compatible with your kernel ? :)
KERNEL_OPTION="CONFIG_AUDIT"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled "^$KERNEL_OPTION="
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
ok "$KERNEL_OPTION is enabled"
else
crit "$KERNEL_OPTION is disabled, auditd will not work"
fi
:
}
# This function will be called if the script status is on enabled mode
apply () {
is_kernel_option_enabled "^$KERNEL_OPTION="
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
ok "$KERNEL_OPTION is enabled"
else
warn "I cannot fix $KERNEL_OPTION disabled, to make auditd work, recompile your kernel please"
fi
:
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -25,7 +25,7 @@ audit () {
ok "$FILE exist, checking configuration" ok "$FILE exist, checking configuration"
does_pattern_exists_in_file $FILE "^$PATTERN[[:space:]]" does_pattern_exists_in_file $FILE "^$PATTERN[[:space:]]"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILE, we have to deny everything" crit "$PATTERN not present in $FILE"
else else
ok "$PATTERN present in $FILE" ok "$PATTERN present in $FILE"
fi fi

View File

@ -0,0 +1,88 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
#
#
# 8.1.1.2 Disable System on Audit Log Full (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/audit/auditd.conf'
OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
else
ok "$FILE exist, checking configuration"
for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM must have value $AUDIT_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILE"
else
ok "$PATTERN present in $FILE"
fi
done
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
warn "$FILE does not exist, creating it"
touch $FILE
else
ok "$FILE exist"
fi
for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
debug "$AUDIT_PARAM must have value $AUDIT_VALUE"
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then
warn "$PATTERN not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$AUDIT_PARAM"
if [ $FNRET != 0 ]; then
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
else
info "Parameter $AUDIT_PARAM is present but with the wrong value, correcting"
replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
fi
else
ok "$PATTERN present in $FILE"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -6,15 +6,14 @@
# #
# #
# 8.0 Install auditd # 8.1.2 Install and Enable auditd Service (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# Note : Not port of the CIS guide, but what's the point configuring a software not installed ? :)
PACKAGE='auditd' PACKAGE='auditd'
SERVICE_NAME='auditd'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -23,6 +22,12 @@ audit () {
crit "$PACKAGE is not installed !" crit "$PACKAGE is not installed !"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
is_service_enabled $SERVICE_NAME
if [ $FNRET = 0 ]; then
ok "$SERVICE_NAME is enabled"
else
crit "$SERVICE_NAME is not enabled"
fi
fi fi
} }
@ -32,9 +37,17 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else else
crit "$PACKAGE is absent, installing it" warn "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
is_service_enabled $SERVICE_NAME
if [ $FNRET = 0 ]; then
ok "$SERVICE_NAME is enabled"
else
warn "$SERVICE_NAME is not enabled, enabling it"
update-rc.d $SERVICE_NAME remove > /dev/null 2>&1
update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1
fi
} }
# This function will check config parameters required # This function will check config parameters required

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled