Renum 99.x files to comply with debian10 CIS

2025-06-24 03:24:34 +02:00 · 2020-12-22 16:36:35 +01:00
parent 87e242a42d
commit 9cbc3f85a9
37 changed files with 109 additions and 291 deletions
--- a/bin/hardening/5.4.5_default_timeout.sh
+++ b/bin/hardening/5.4.5_default_timeout.sh
@ -6,25 +6,93 @@
 #

 #
-# 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
+# 5.4.4 Ensure default usershell timeout is 900 seconds or less
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

 # shellcheck disable=2034
-HARDENING_LEVEL=3
+USER='root'
 # shellcheck disable=2034
-DESCRIPTION="Configure the default user shell timeout."
+DESCRIPTION="Timeout 600 seconds on tty."
+
+PATTERN='TMOUT='
+VALUE='600'
+FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile'
+FILE='/etc/profile.d/CIS_99.1_timeout.sh'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    :
+    SEARCH_RES=0
+    for FILE_SEARCHED in $FILES_TO_SEARCH; do
+        if [ "$SEARCH_RES" = 1 ]; then break; fi
+        if test -d "$FILE_SEARCHED"; then
+            debug "$FILE_SEARCHED is a directory"
+            # shellcheck disable=2044
+            for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
+                does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
+                if [ "$FNRET" != 0 ]; then
+                    debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
+                else
+                    ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
+                    SEARCH_RES=1
+                    break
+                fi
+            done
+        else
+            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
+            if [ "$FNRET" != 0 ]; then
+                debug "$PATTERN is not present in $FILE_SEARCHED"
+            else
+                ok "$PATTERN is present in $FILES_TO_SEARCH"
+                SEARCH_RES=1
+            fi
+        fi
+    done
+    if [ "$SEARCH_RES" = 0 ]; then
+        crit "$PATTERN is not present in $FILES_TO_SEARCH"
+    fi
 }

 # This function will be called if the script status is on enabled mode
 apply() {
-    :
+    SEARCH_RES=0
+    for FILE_SEARCHED in $FILES_TO_SEARCH; do
+        if [ "$SEARCH_RES" = 1 ]; then break; fi
+        if test -d "$FILE_SEARCHED"; then
+            debug "$FILE_SEARCHED is a directory"
+            # shellcheck disable=2044
+            for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
+                does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
+                if [ "$FNRET" != 0 ]; then
+                    debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
+                else
+                    ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
+                    SEARCH_RES=1
+                    break
+                fi
+            done
+        else
+            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
+            if [ "$FNRET" != 0 ]; then
+                debug "$PATTERN is not present in $FILE_SEARCHED"
+            else
+                ok "$PATTERN is present in $FILES_TO_SEARCH"
+                SEARCH_RES=1
+            fi
+        fi
+    done
+    if [ "$SEARCH_RES" = 0 ]; then
+        warn "$PATTERN is not present in $FILES_TO_SEARCH"
+        touch "$FILE"
+        chmod 644 "$FILE"
+        add_end_of_file "$FILE" "$PATTERN$VALUE"
+        add_end_of_file "$FILE" "readonly TMOUT"
+        add_end_of_file "$FILE" "export TMOUT"
+    else
+        ok "$PATTERN is present in $FILES_TO_SEARCH"
+    fi
 }

 # This function will check config parameters required