From 9cbc3f85a9562cd0692f0b76043e53fb00f2103a Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Tue, 22 Dec 2020 16:36:35 +0100 Subject: [PATCH] Renum 99.x files to comply with debian10 CIS --- bin/hardening/5.4.5_default_timeout.sh | 78 ++++++++++- ...es.sh => 99.1.1.23_disable_usb_devices.sh} | 4 +- ...no_all.sh => 99.1.3_acc_sudoers_no_all.sh} | 2 +- bin/hardening/99.1_timeout_tty.sh | 121 ------------------ bin/hardening/99.2.2_disable_telnet_server.sh | 2 +- bin/hardening/99.3.3.1_install_tcp_wrapper.sh | 2 +- bin/hardening/99.3.3.2_hosts_allow.sh | 2 +- bin/hardening/99.3.3.3_hosts_deny.sh | 2 +- .../99.3.3.4_hosts_allow_permissions.sh | 2 +- .../99.3.3.5_hosts_deny_permissions.sh | 2 +- bin/hardening/99.4.0_enable_auditd_kernel.sh | 4 +- ...only.sh => 99.5.2.1_ssh_auth_pubk_only.sh} | 2 +- ...cry_rekey.sh => 99.5.2.2_ssh_cry_rekey.sh} | 4 +- ...es.sh => 99.5.2.3_ssh_disable_features.sh} | 2 +- ...keys_from.sh => 99.5.2.4_ssh_keys_from.sh} | 2 +- ..._modes.sh => 99.5.2.5_ssh_strict_modes.sh} | 2 +- ..._env.sh => 99.5.2.6_ssh_sys_accept_env.sh} | 4 +- ...egacy.sh => 99.5.2.7_ssh_sys_no_legacy.sh} | 6 +- ...sandbox.sh => 99.5.2.8_ssh_sys_sandbox.sh} | 4 +- ....sh => 99.5.4.5.1_acc_logindefs_sha512.sh} | 2 +- ...512.sh => 99.5.4.5.2_acc_shadow_sha512.sh} | 2 +- bin/hardening/99.5.9_ssh_loglevel.sh | 98 -------------- tests/hardening/5.4.5_default_timeout.sh | 9 ++ ...es.sh => 99.1.1.23_disable_usb_devices.sh} | 0 ...no_all.sh => 99.1.3_acc_sudoers_no_all.sh} | 0 tests/hardening/99.1_timeout_tty.sh | 20 --- ...only.sh => 99.5.2.1_ssh_auth_pubk_only.sh} | 0 ...cry_rekey.sh => 99.5.2.2_ssh_cry_rekey.sh} | 0 ...es.sh => 99.5.2.3_ssh_disable_features.sh} | 0 ...keys_from.sh => 99.5.2.4_ssh_keys_from.sh} | 0 ..._modes.sh => 99.5.2.5_ssh_strict_modes.sh} | 0 ..._env.sh => 99.5.2.6_ssh_sys_accept_env.sh} | 0 ...egacy.sh => 99.5.2.7_ssh_sys_no_legacy.sh} | 0 ...sandbox.sh => 99.5.2.8_ssh_sys_sandbox.sh} | 0 ....sh => 99.5.4.5.1_acc_logindefs_sha512.sh} | 0 ...512.sh => 99.5.4.5.2_acc_shadow_sha512.sh} | 0 tests/hardening/99.5.9_ssh_loglevel.sh | 22 ---- 37 files changed, 109 insertions(+), 291 deletions(-) rename bin/hardening/{99.2_disable_usb_devices.sh => 99.1.1.23_disable_usb_devices.sh} (98%) rename bin/hardening/{99.3.2_acc_sudoers_no_all.sh => 99.1.3_acc_sudoers_no_all.sh} (97%) delete mode 100755 bin/hardening/99.1_timeout_tty.sh rename bin/hardening/{99.5.1_ssh_auth_pubk_only.sh => 99.5.2.1_ssh_auth_pubk_only.sh} (97%) rename bin/hardening/{99.5.2.3_ssh_cry_rekey.sh => 99.5.2.2_ssh_cry_rekey.sh} (96%) rename bin/hardening/{99.5.3_ssh_disable_features.sh => 99.5.2.3_ssh_disable_features.sh} (97%) rename bin/hardening/{99.5.4_ssh_keys_from.sh => 99.5.2.4_ssh_keys_from.sh} (98%) rename bin/hardening/{99.5.5_ssh_strict_modes.sh => 99.5.2.5_ssh_strict_modes.sh} (96%) rename bin/hardening/{99.5.6_ssh_sys_accept_env.sh => 99.5.2.6_ssh_sys_accept_env.sh} (96%) rename bin/hardening/{99.5.7_ssh_sys_no_legacy.sh => 99.5.2.7_ssh_sys_no_legacy.sh} (93%) rename bin/hardening/{99.5.8_ssh_sys_sandbox.sh => 99.5.2.8_ssh_sys_sandbox.sh} (97%) rename bin/hardening/{99.3.4_acc_logindefs_sha512.sh => 99.5.4.5.1_acc_logindefs_sha512.sh} (96%) rename bin/hardening/{99.3.1_acc_shadow_sha512.sh => 99.5.4.5.2_acc_shadow_sha512.sh} (96%) delete mode 100755 bin/hardening/99.5.9_ssh_loglevel.sh rename tests/hardening/{99.2_disable_usb_devices.sh => 99.1.1.23_disable_usb_devices.sh} (100%) rename tests/hardening/{99.3.2_acc_sudoers_no_all.sh => 99.1.3_acc_sudoers_no_all.sh} (100%) delete mode 100644 tests/hardening/99.1_timeout_tty.sh rename tests/hardening/{99.5.1_ssh_auth_pubk_only.sh => 99.5.2.1_ssh_auth_pubk_only.sh} (100%) rename tests/hardening/{99.5.2.3_ssh_cry_rekey.sh => 99.5.2.2_ssh_cry_rekey.sh} (100%) rename tests/hardening/{99.5.3_ssh_disable_features.sh => 99.5.2.3_ssh_disable_features.sh} (100%) rename tests/hardening/{99.5.4_ssh_keys_from.sh => 99.5.2.4_ssh_keys_from.sh} (100%) rename tests/hardening/{99.5.5_ssh_strict_modes.sh => 99.5.2.5_ssh_strict_modes.sh} (100%) rename tests/hardening/{99.5.6_ssh_sys_accept_env.sh => 99.5.2.6_ssh_sys_accept_env.sh} (100%) rename tests/hardening/{99.5.7_ssh_sys_no_legacy.sh => 99.5.2.7_ssh_sys_no_legacy.sh} (100%) rename tests/hardening/{99.5.8_ssh_sys_sandbox.sh => 99.5.2.8_ssh_sys_sandbox.sh} (100%) rename tests/hardening/{99.3.4_acc_logindefs_sha512.sh => 99.5.4.5.1_acc_logindefs_sha512.sh} (100%) rename tests/hardening/{99.3.1_acc_shadow_sha512.sh => 99.5.4.5.2_acc_shadow_sha512.sh} (100%) delete mode 100644 tests/hardening/99.5.9_ssh_loglevel.sh diff --git a/bin/hardening/5.4.5_default_timeout.sh b/bin/hardening/5.4.5_default_timeout.sh index 22eb036..85c1cf6 100755 --- a/bin/hardening/5.4.5_default_timeout.sh +++ b/bin/hardening/5.4.5_default_timeout.sh @@ -6,25 +6,93 @@ # # -# 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored) +# 5.4.4 Ensure default usershell timeout is 900 seconds or less # set -e # One error, it's over set -u # One variable unset, it's over # shellcheck disable=2034 -HARDENING_LEVEL=3 +USER='root' # shellcheck disable=2034 -DESCRIPTION="Configure the default user shell timeout." +DESCRIPTION="Timeout 600 seconds on tty." + +PATTERN='TMOUT=' +VALUE='600' +FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile' +FILE='/etc/profile.d/CIS_99.1_timeout.sh' # This function will be called if the script status is on enabled / audit mode audit() { - : + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + if [ "$SEARCH_RES" = 1 ]; then break; fi + if test -d "$FILE_SEARCHED"; then + debug "$FILE_SEARCHED is a directory" + # shellcheck disable=2044 + for file_in_dir in $(find "$FILE_SEARCHED" -type f); do + does_pattern_exist_in_file "$file_in_dir" "^$PATTERN" + if [ "$FNRET" != 0 ]; then + debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" + else + ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir" + SEARCH_RES=1 + break + fi + done + else + does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN" + if [ "$FNRET" != 0 ]; then + debug "$PATTERN is not present in $FILE_SEARCHED" + else + ok "$PATTERN is present in $FILES_TO_SEARCH" + SEARCH_RES=1 + fi + fi + done + if [ "$SEARCH_RES" = 0 ]; then + crit "$PATTERN is not present in $FILES_TO_SEARCH" + fi } # This function will be called if the script status is on enabled mode apply() { - : + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + if [ "$SEARCH_RES" = 1 ]; then break; fi + if test -d "$FILE_SEARCHED"; then + debug "$FILE_SEARCHED is a directory" + # shellcheck disable=2044 + for file_in_dir in $(find "$FILE_SEARCHED" -type f); do + does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" + if [ "$FNRET" != 0 ]; then + debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" + else + ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir" + SEARCH_RES=1 + break + fi + done + else + does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN" + if [ "$FNRET" != 0 ]; then + debug "$PATTERN is not present in $FILE_SEARCHED" + else + ok "$PATTERN is present in $FILES_TO_SEARCH" + SEARCH_RES=1 + fi + fi + done + if [ "$SEARCH_RES" = 0 ]; then + warn "$PATTERN is not present in $FILES_TO_SEARCH" + touch "$FILE" + chmod 644 "$FILE" + add_end_of_file "$FILE" "$PATTERN$VALUE" + add_end_of_file "$FILE" "readonly TMOUT" + add_end_of_file "$FILE" "export TMOUT" + else + ok "$PATTERN is present in $FILES_TO_SEARCH" + fi } # This function will check config parameters required diff --git a/bin/hardening/99.2_disable_usb_devices.sh b/bin/hardening/99.1.1.23_disable_usb_devices.sh similarity index 98% rename from bin/hardening/99.2_disable_usb_devices.sh rename to bin/hardening/99.1.1.23_disable_usb_devices.sh index 8ddf7c3..85754b2 100755 --- a/bin/hardening/99.2_disable_usb_devices.sh +++ b/bin/hardening/99.1.1.23_disable_usb_devices.sh @@ -2,11 +2,11 @@ # run-shellcheck # -# CIS Debian Hardening /!\ Not in the Guide +# CIS Debian Hardening Bonus Check # # -# 99.2 Disable USB Devices +# 99.1.1.23 Disable USB Devices # set -e # One error, it's over diff --git a/bin/hardening/99.3.2_acc_sudoers_no_all.sh b/bin/hardening/99.1.3_acc_sudoers_no_all.sh similarity index 97% rename from bin/hardening/99.3.2_acc_sudoers_no_all.sh rename to bin/hardening/99.1.3_acc_sudoers_no_all.sh index 4438895..53ab587 100755 --- a/bin/hardening/99.3.2_acc_sudoers_no_all.sh +++ b/bin/hardening/99.1.3_acc_sudoers_no_all.sh @@ -6,7 +6,7 @@ # # -# Checks there are no carte-blanche authorization in sudoers file(s). +# 99.1.3 Checks there are no carte-blanche authorization in sudoers file(s). # set -e # One error, it's over diff --git a/bin/hardening/99.1_timeout_tty.sh b/bin/hardening/99.1_timeout_tty.sh deleted file mode 100755 index 83b1958..0000000 --- a/bin/hardening/99.1_timeout_tty.sh +++ /dev/null @@ -1,121 +0,0 @@ -#!/bin/bash - -# run-shellcheck -# -# CIS Debian Hardening /!\ Not in the Guide -# - -# -# 99.1 Set Timeout on ttys -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -# shellcheck disable=2034 -USER='root' -# shellcheck disable=2034 -DESCRIPTION="Timeout 600 seconds on tty." - -PATTERN='TMOUT=' -VALUE='600' -FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile' -FILE='/etc/profile.d/CIS_99.1_timeout.sh' - -# This function will be called if the script status is on enabled / audit mode -audit() { - SEARCH_RES=0 - for FILE_SEARCHED in $FILES_TO_SEARCH; do - if [ "$SEARCH_RES" = 1 ]; then break; fi - if test -d "$FILE_SEARCHED"; then - debug "$FILE_SEARCHED is a directory" - # shellcheck disable=2044 - for file_in_dir in $(find "$FILE_SEARCHED" -type f); do - does_pattern_exist_in_file "$file_in_dir" "^$PATTERN" - if [ "$FNRET" != 0 ]; then - debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" - else - ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir" - SEARCH_RES=1 - break - fi - done - else - does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN" - if [ "$FNRET" != 0 ]; then - debug "$PATTERN is not present in $FILE_SEARCHED" - else - ok "$PATTERN is present in $FILES_TO_SEARCH" - SEARCH_RES=1 - fi - fi - done - if [ "$SEARCH_RES" = 0 ]; then - crit "$PATTERN is not present in $FILES_TO_SEARCH" - fi -} - -# This function will be called if the script status is on enabled mode -apply() { - SEARCH_RES=0 - for FILE_SEARCHED in $FILES_TO_SEARCH; do - if [ "$SEARCH_RES" = 1 ]; then break; fi - if test -d "$FILE_SEARCHED"; then - debug "$FILE_SEARCHED is a directory" - # shellcheck disable=2044 - for file_in_dir in $(find "$FILE_SEARCHED" -type f); do - does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN" - if [ "$FNRET" != 0 ]; then - debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir" - else - ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir" - SEARCH_RES=1 - break - fi - done - else - does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN" - if [ "$FNRET" != 0 ]; then - debug "$PATTERN is not present in $FILE_SEARCHED" - else - ok "$PATTERN is present in $FILES_TO_SEARCH" - SEARCH_RES=1 - fi - fi - done - if [ "$SEARCH_RES" = 0 ]; then - warn "$PATTERN is not present in $FILES_TO_SEARCH" - touch "$FILE" - chmod 644 "$FILE" - add_end_of_file "$FILE" "$PATTERN$VALUE" - add_end_of_file "$FILE" "readonly TMOUT" - add_end_of_file "$FILE" "export TMOUT" - else - ok "$PATTERN is present in $FILES_TO_SEARCH" - fi -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - # shellcheck source=../../debian/default - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=../../lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/bin/hardening/99.2.2_disable_telnet_server.sh b/bin/hardening/99.2.2_disable_telnet_server.sh index 646695c..ac5d23d 100755 --- a/bin/hardening/99.2.2_disable_telnet_server.sh +++ b/bin/hardening/99.2.2_disable_telnet_server.sh @@ -6,7 +6,7 @@ # # -# 2.2.18 Ensure telnet server is not enabled (Scored) +# 99.2.2 Ensure telnet server is not enabled (Scored) # # Note: this check is not anymore in CIS hardening but we decided to keep it anyway diff --git a/bin/hardening/99.3.3.1_install_tcp_wrapper.sh b/bin/hardening/99.3.3.1_install_tcp_wrapper.sh index 4d50569..381dbfa 100755 --- a/bin/hardening/99.3.3.1_install_tcp_wrapper.sh +++ b/bin/hardening/99.3.3.1_install_tcp_wrapper.sh @@ -2,7 +2,7 @@ # run-shellcheck # -# CIS Debian Hardening +# Legacy CIS Debian Hardening # # diff --git a/bin/hardening/99.3.3.2_hosts_allow.sh b/bin/hardening/99.3.3.2_hosts_allow.sh index 9a56c8f..da3e77a 100755 --- a/bin/hardening/99.3.3.2_hosts_allow.sh +++ b/bin/hardening/99.3.3.2_hosts_allow.sh @@ -2,7 +2,7 @@ # run-shellcheck # -# CIS Debian Hardening +# Legacy CIS Debian Hardening # # diff --git a/bin/hardening/99.3.3.3_hosts_deny.sh b/bin/hardening/99.3.3.3_hosts_deny.sh index 157661b..a1b18e8 100755 --- a/bin/hardening/99.3.3.3_hosts_deny.sh +++ b/bin/hardening/99.3.3.3_hosts_deny.sh @@ -2,7 +2,7 @@ # run-shellcheck # -# CIS Debian Hardening +# Legacy CIS Debian Hardening # # diff --git a/bin/hardening/99.3.3.4_hosts_allow_permissions.sh b/bin/hardening/99.3.3.4_hosts_allow_permissions.sh index 4600150..6113b62 100755 --- a/bin/hardening/99.3.3.4_hosts_allow_permissions.sh +++ b/bin/hardening/99.3.3.4_hosts_allow_permissions.sh @@ -2,7 +2,7 @@ # run-shellcheck # -# CIS Debian Hardening +# Legacy CIS Debian Hardening # # diff --git a/bin/hardening/99.3.3.5_hosts_deny_permissions.sh b/bin/hardening/99.3.3.5_hosts_deny_permissions.sh index 5c2be1e..c862074 100755 --- a/bin/hardening/99.3.3.5_hosts_deny_permissions.sh +++ b/bin/hardening/99.3.3.5_hosts_deny_permissions.sh @@ -2,7 +2,7 @@ # run-shellcheck # -# CIS Debian Hardening +# Legacy CIS Debian Hardening # # diff --git a/bin/hardening/99.4.0_enable_auditd_kernel.sh b/bin/hardening/99.4.0_enable_auditd_kernel.sh index 447b0bc..c01c4d4 100755 --- a/bin/hardening/99.4.0_enable_auditd_kernel.sh +++ b/bin/hardening/99.4.0_enable_auditd_kernel.sh @@ -2,11 +2,11 @@ # run-shellcheck # -# CIS Debian Hardening +# CIS Debian Hardening Bonus Check # # -# 8.0 Ensure CONFIG_AUDIT is enabled in your running kernel +# 99.4.0 Ensure CONFIG_AUDIT is enabled in your running kernel # set -e # One error, it's over diff --git a/bin/hardening/99.5.1_ssh_auth_pubk_only.sh b/bin/hardening/99.5.2.1_ssh_auth_pubk_only.sh similarity index 97% rename from bin/hardening/99.5.1_ssh_auth_pubk_only.sh rename to bin/hardening/99.5.2.1_ssh_auth_pubk_only.sh index 46d7284..8b300af 100755 --- a/bin/hardening/99.5.1_ssh_auth_pubk_only.sh +++ b/bin/hardening/99.5.2.1_ssh_auth_pubk_only.sh @@ -6,7 +6,7 @@ # # -# Ensure that sshd only allows authentication through public key. +# 99.5.2.1 Ensure that sshd only allows authentication through public key. # set -e # One error, it's over diff --git a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh b/bin/hardening/99.5.2.2_ssh_cry_rekey.sh similarity index 96% rename from bin/hardening/99.5.2.3_ssh_cry_rekey.sh rename to bin/hardening/99.5.2.2_ssh_cry_rekey.sh index ae60936..fc8d5a1 100755 --- a/bin/hardening/99.5.2.3_ssh_cry_rekey.sh +++ b/bin/hardening/99.5.2.2_ssh_cry_rekey.sh @@ -3,11 +3,11 @@ # run-shellcheck # -# CIS Debian 7/8 Hardening +# Legacy CIS Debian Hardening # # -# Checking rekey limit for time (6 hours) or volume (512Mio) whichever comes first. +# 99.5.2.2 Checking rekey limit for time (6 hours) or volume (512Mio) whichever comes first. # set -e # One error, it's over diff --git a/bin/hardening/99.5.3_ssh_disable_features.sh b/bin/hardening/99.5.2.3_ssh_disable_features.sh similarity index 97% rename from bin/hardening/99.5.3_ssh_disable_features.sh rename to bin/hardening/99.5.2.3_ssh_disable_features.sh index df31af8..06866f9 100755 --- a/bin/hardening/99.5.3_ssh_disable_features.sh +++ b/bin/hardening/99.5.2.3_ssh_disable_features.sh @@ -6,7 +6,7 @@ # # -# Check all special features in sshd_config are disabled +# 99.5.2.3 Check all special features in sshd_config are disabled # set -e # One error, it's over diff --git a/bin/hardening/99.5.4_ssh_keys_from.sh b/bin/hardening/99.5.2.4_ssh_keys_from.sh similarity index 98% rename from bin/hardening/99.5.4_ssh_keys_from.sh rename to bin/hardening/99.5.2.4_ssh_keys_from.sh index b27d340..3e36c2c 100755 --- a/bin/hardening/99.5.4_ssh_keys_from.sh +++ b/bin/hardening/99.5.2.4_ssh_keys_from.sh @@ -6,7 +6,7 @@ # # -# Check field in ssh authorized keys files for users with login shell, and bastions IP if available. +# 99.5.2.4 Check field in ssh authorized keys files for users with login shell, and bastions IP if available. # set -e # One error, it is over diff --git a/bin/hardening/99.5.5_ssh_strict_modes.sh b/bin/hardening/99.5.2.5_ssh_strict_modes.sh similarity index 96% rename from bin/hardening/99.5.5_ssh_strict_modes.sh rename to bin/hardening/99.5.2.5_ssh_strict_modes.sh index 9488b04..ed34c7a 100755 --- a/bin/hardening/99.5.5_ssh_strict_modes.sh +++ b/bin/hardening/99.5.2.5_ssh_strict_modes.sh @@ -6,7 +6,7 @@ # # -# Ensure home directory and ssh sensitive files are verified (not publicly readable) before connecting. +# 99.5.2.5 Ensure home directory and ssh sensitive files are verified (not publicly readable) before connecting. # set -e # One error, it's over diff --git a/bin/hardening/99.5.6_ssh_sys_accept_env.sh b/bin/hardening/99.5.2.6_ssh_sys_accept_env.sh similarity index 96% rename from bin/hardening/99.5.6_ssh_sys_accept_env.sh rename to bin/hardening/99.5.2.6_ssh_sys_accept_env.sh index 635ad0d..2e0a663 100755 --- a/bin/hardening/99.5.6_ssh_sys_accept_env.sh +++ b/bin/hardening/99.5.2.6_ssh_sys_accept_env.sh @@ -2,11 +2,11 @@ # run-shellcheck # -# CIS Debian 7/8 Hardening +# Legacy CIS Debian Hardening # # -# Restrict which user's variables are accepted by ssh daemon +# 99.5.2.6 Restrict which user's variables are accepted by ssh daemon # set -e # One error, it's over diff --git a/bin/hardening/99.5.7_ssh_sys_no_legacy.sh b/bin/hardening/99.5.2.7_ssh_sys_no_legacy.sh similarity index 93% rename from bin/hardening/99.5.7_ssh_sys_no_legacy.sh rename to bin/hardening/99.5.2.7_ssh_sys_no_legacy.sh index 38510bc..24d9cb6 100755 --- a/bin/hardening/99.5.7_ssh_sys_no_legacy.sh +++ b/bin/hardening/99.5.2.7_ssh_sys_no_legacy.sh @@ -1,12 +1,14 @@ #!/bin/bash # run-shellcheck -# CIS Debian 7 Hardening +# +# Legacy CIS Debian Hardening # # -# Ensure that legacy services rlogin, rlogind and rcp are disabled and not installed +# 99.5.2.7 Ensure that legacy services rlogin, rlogind and rcp are disabled and not installed # + set -e # One error, it's over set -u # One variable unset, it's over diff --git a/bin/hardening/99.5.8_ssh_sys_sandbox.sh b/bin/hardening/99.5.2.8_ssh_sys_sandbox.sh similarity index 97% rename from bin/hardening/99.5.8_ssh_sys_sandbox.sh rename to bin/hardening/99.5.2.8_ssh_sys_sandbox.sh index 2fb0a82..8f298e2 100755 --- a/bin/hardening/99.5.8_ssh_sys_sandbox.sh +++ b/bin/hardening/99.5.2.8_ssh_sys_sandbox.sh @@ -2,11 +2,11 @@ # run-shellcheck # -# CIS Debian 7/8 Hardening +# Legacy CIS Debian Hardening # # -# Check UsePrivilegeSeparation set to sandbox. +# 99.5.2.8 Check UsePrivilegeSeparation set to sandbox. # set -e # One error, it's over diff --git a/bin/hardening/99.3.4_acc_logindefs_sha512.sh b/bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh similarity index 96% rename from bin/hardening/99.3.4_acc_logindefs_sha512.sh rename to bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh index e596138..57fdd87 100755 --- a/bin/hardening/99.3.4_acc_logindefs_sha512.sh +++ b/bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh @@ -6,7 +6,7 @@ # # -# Check that any password that may exist in /etc/shadow is SHA512 hashed and salted +# 99.5.4.5.1 Check that any password that may exist in /etc/shadow is SHA512 hashed and salted # set -e # One error, it's over diff --git a/bin/hardening/99.3.1_acc_shadow_sha512.sh b/bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh similarity index 96% rename from bin/hardening/99.3.1_acc_shadow_sha512.sh rename to bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh index df2f5f9..93c7179 100755 --- a/bin/hardening/99.3.1_acc_shadow_sha512.sh +++ b/bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh @@ -6,7 +6,7 @@ # # -# Check that any password that may exist in /etc/shadow is SHA512 hashed and salted +# 99.5.4.5.2 Check that any password that may exist in /etc/shadow is SHA512 hashed and salted # set -e # One error, it's over diff --git a/bin/hardening/99.5.9_ssh_loglevel.sh b/bin/hardening/99.5.9_ssh_loglevel.sh deleted file mode 100755 index 0d81e49..0000000 --- a/bin/hardening/99.5.9_ssh_loglevel.sh +++ /dev/null @@ -1,98 +0,0 @@ -#!/bin/bash - -# run-shellcheck -# -# CIS Debian 7/8 Hardening -# - -# -# SSH log level is set to VERBOSE -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -# shellcheck disable=2034 -DESCRIPTION="SSH log level is set to VERBOSE" -# shellcheck disable=2034 -HARDENING_LEVEL=2 - -PACKAGE='openssh-server' -OPTIONS='LogLevel=VERBOSE' -FILE='/etc/ssh/sshd_config' - -# This function will be called if the script status is on enabled / audit mode -audit() { - is_pkg_installed "$PACKAGE" - if [ "$FNRET" != 0 ]; then - crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) - SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) - PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi -} - -# This function will be called if the script status is on enabled mode -apply() { - is_pkg_installed "$PACKAGE" - if [ "$FNRET" = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - apt_install "$PACKAGE" - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) - SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) - PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}" - if [ "$FNRET" != 0 ]; then - add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload >/dev/null 2>&1 - fi - done -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - # shellcheck source=../../debian/default - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then - # shellcheck source=../../lib/main.sh - . "$CIS_ROOT_DIR"/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/tests/hardening/5.4.5_default_timeout.sh b/tests/hardening/5.4.5_default_timeout.sh index f85b20d..6868a51 100644 --- a/tests/hardening/5.4.5_default_timeout.sh +++ b/tests/hardening/5.4.5_default_timeout.sh @@ -7,5 +7,14 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + echo "TMOUT=600" >/etc/profile.d/CIS_99.1_timeout.sh + + describe compliant + register_test retvalshouldbe 0 + run compliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + # TODO fill comprehensive tests + + # Cleanup + rm /etc/profile.d/CIS_99.1_timeout.sh } diff --git a/tests/hardening/99.2_disable_usb_devices.sh b/tests/hardening/99.1.1.23_disable_usb_devices.sh similarity index 100% rename from tests/hardening/99.2_disable_usb_devices.sh rename to tests/hardening/99.1.1.23_disable_usb_devices.sh diff --git a/tests/hardening/99.3.2_acc_sudoers_no_all.sh b/tests/hardening/99.1.3_acc_sudoers_no_all.sh similarity index 100% rename from tests/hardening/99.3.2_acc_sudoers_no_all.sh rename to tests/hardening/99.1.3_acc_sudoers_no_all.sh diff --git a/tests/hardening/99.1_timeout_tty.sh b/tests/hardening/99.1_timeout_tty.sh deleted file mode 100644 index 6868a51..0000000 --- a/tests/hardening/99.1_timeout_tty.sh +++ /dev/null @@ -1,20 +0,0 @@ -# shellcheck shell=bash -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - echo "TMOUT=600" >/etc/profile.d/CIS_99.1_timeout.sh - - describe compliant - register_test retvalshouldbe 0 - run compliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # TODO fill comprehensive tests - - # Cleanup - rm /etc/profile.d/CIS_99.1_timeout.sh -} diff --git a/tests/hardening/99.5.1_ssh_auth_pubk_only.sh b/tests/hardening/99.5.2.1_ssh_auth_pubk_only.sh similarity index 100% rename from tests/hardening/99.5.1_ssh_auth_pubk_only.sh rename to tests/hardening/99.5.2.1_ssh_auth_pubk_only.sh diff --git a/tests/hardening/99.5.2.3_ssh_cry_rekey.sh b/tests/hardening/99.5.2.2_ssh_cry_rekey.sh similarity index 100% rename from tests/hardening/99.5.2.3_ssh_cry_rekey.sh rename to tests/hardening/99.5.2.2_ssh_cry_rekey.sh diff --git a/tests/hardening/99.5.3_ssh_disable_features.sh b/tests/hardening/99.5.2.3_ssh_disable_features.sh similarity index 100% rename from tests/hardening/99.5.3_ssh_disable_features.sh rename to tests/hardening/99.5.2.3_ssh_disable_features.sh diff --git a/tests/hardening/99.5.4_ssh_keys_from.sh b/tests/hardening/99.5.2.4_ssh_keys_from.sh similarity index 100% rename from tests/hardening/99.5.4_ssh_keys_from.sh rename to tests/hardening/99.5.2.4_ssh_keys_from.sh diff --git a/tests/hardening/99.5.5_ssh_strict_modes.sh b/tests/hardening/99.5.2.5_ssh_strict_modes.sh similarity index 100% rename from tests/hardening/99.5.5_ssh_strict_modes.sh rename to tests/hardening/99.5.2.5_ssh_strict_modes.sh diff --git a/tests/hardening/99.5.6_ssh_sys_accept_env.sh b/tests/hardening/99.5.2.6_ssh_sys_accept_env.sh similarity index 100% rename from tests/hardening/99.5.6_ssh_sys_accept_env.sh rename to tests/hardening/99.5.2.6_ssh_sys_accept_env.sh diff --git a/tests/hardening/99.5.7_ssh_sys_no_legacy.sh b/tests/hardening/99.5.2.7_ssh_sys_no_legacy.sh similarity index 100% rename from tests/hardening/99.5.7_ssh_sys_no_legacy.sh rename to tests/hardening/99.5.2.7_ssh_sys_no_legacy.sh diff --git a/tests/hardening/99.5.8_ssh_sys_sandbox.sh b/tests/hardening/99.5.2.8_ssh_sys_sandbox.sh similarity index 100% rename from tests/hardening/99.5.8_ssh_sys_sandbox.sh rename to tests/hardening/99.5.2.8_ssh_sys_sandbox.sh diff --git a/tests/hardening/99.3.4_acc_logindefs_sha512.sh b/tests/hardening/99.5.4.5.1_acc_logindefs_sha512.sh similarity index 100% rename from tests/hardening/99.3.4_acc_logindefs_sha512.sh rename to tests/hardening/99.5.4.5.1_acc_logindefs_sha512.sh diff --git a/tests/hardening/99.3.1_acc_shadow_sha512.sh b/tests/hardening/99.5.4.5.2_acc_shadow_sha512.sh similarity index 100% rename from tests/hardening/99.3.1_acc_shadow_sha512.sh rename to tests/hardening/99.5.4.5.2_acc_shadow_sha512.sh diff --git a/tests/hardening/99.5.9_ssh_loglevel.sh b/tests/hardening/99.5.9_ssh_loglevel.sh deleted file mode 100644 index 823882b..0000000 --- a/tests/hardening/99.5.9_ssh_loglevel.sh +++ /dev/null @@ -1,22 +0,0 @@ -# shellcheck shell=bash -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 1 - register_test contain "openssh-server is installed" - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - describe Correcting situation - # `apply` performs a service reload after each change in the config file - # the service needs to be started for the reload to succeed - service ssh start - # if the audit script provides "apply" option, enable and run it - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg - /opt/debian-cis/bin/hardening/"${script}".sh || true - - describe Checking resolved state - register_test retvalshouldbe 0 - register_test contain "[ OK ] ^LogLevel[[:space:]]*VERBOSE is present in /etc/ssh/sshd_config" - run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all -}