Renum 99.x files to comply with debian10 CIS

bin/hardening/5.4.5_default_timeout.sh

@@ -6,25 +6,93 @@
 #
 
 #
-# 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
+# 5.4.4 Ensure default usershell timeout is 900 seconds or less
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 # shellcheck disable=2034
-HARDENING_LEVEL=3
+USER='root'
 # shellcheck disable=2034
-DESCRIPTION="Configure the default user shell timeout."
+DESCRIPTION="Timeout 600 seconds on tty."
+
+PATTERN='TMOUT='
+VALUE='600'
+FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile'
+FILE='/etc/profile.d/CIS_99.1_timeout.sh'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    :
+    SEARCH_RES=0
+    for FILE_SEARCHED in $FILES_TO_SEARCH; do
+        if [ "$SEARCH_RES" = 1 ]; then break; fi
+        if test -d "$FILE_SEARCHED"; then
+            debug "$FILE_SEARCHED is a directory"
+            # shellcheck disable=2044
+            for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
+                does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
+                if [ "$FNRET" != 0 ]; then
+                    debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
+                else
+                    ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
+                    SEARCH_RES=1
+                    break
+                fi
+            done
+        else
+            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
+            if [ "$FNRET" != 0 ]; then
+                debug "$PATTERN is not present in $FILE_SEARCHED"
+            else
+                ok "$PATTERN is present in $FILES_TO_SEARCH"
+                SEARCH_RES=1
+            fi
+        fi
+    done
+    if [ "$SEARCH_RES" = 0 ]; then
+        crit "$PATTERN is not present in $FILES_TO_SEARCH"
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    :
+    SEARCH_RES=0
+    for FILE_SEARCHED in $FILES_TO_SEARCH; do
+        if [ "$SEARCH_RES" = 1 ]; then break; fi
+        if test -d "$FILE_SEARCHED"; then
+            debug "$FILE_SEARCHED is a directory"
+            # shellcheck disable=2044
+            for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
+                does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
+                if [ "$FNRET" != 0 ]; then
+                    debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
+                else
+                    ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
+                    SEARCH_RES=1
+                    break
+                fi
+            done
+        else
+            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
+            if [ "$FNRET" != 0 ]; then
+                debug "$PATTERN is not present in $FILE_SEARCHED"
+            else
+                ok "$PATTERN is present in $FILES_TO_SEARCH"
+                SEARCH_RES=1
+            fi
+        fi
+    done
+    if [ "$SEARCH_RES" = 0 ]; then
+        warn "$PATTERN is not present in $FILES_TO_SEARCH"
+        touch "$FILE"
+        chmod 644 "$FILE"
+        add_end_of_file "$FILE" "$PATTERN$VALUE"
+        add_end_of_file "$FILE" "readonly TMOUT"
+        add_end_of_file "$FILE" "export TMOUT"
+    else
+        ok "$PATTERN is present in $FILES_TO_SEARCH"
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/99.1.1.23_disable_usb_devices.sh

@@ -2,11 +2,11 @@
 
 # run-shellcheck
 #
-# CIS Debian Hardening /!\ Not in the Guide
+# CIS Debian Hardening Bonus Check
 #
 
 #
-# 99.2 Disable USB Devices
+# 99.1.1.23 Disable USB Devices
 #
 
 set -e # One error, it's over

bin/hardening/99.1.3_acc_sudoers_no_all.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Checks there are no carte-blanche authorization in sudoers file(s).
+# 99.1.3 Checks there are no carte-blanche authorization in sudoers file(s).
 #
 
 set -e # One error, it's over

bin/hardening/99.1_timeout_tty.sh

@@ -1,121 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian Hardening /!\ Not in the Guide
-#
-
-#
-# 99.1 Set Timeout on ttys
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-USER='root'
-# shellcheck disable=2034
-DESCRIPTION="Timeout 600 seconds on tty."
-
-PATTERN='TMOUT='
-VALUE='600'
-FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile'
-FILE='/etc/profile.d/CIS_99.1_timeout.sh'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    SEARCH_RES=0
-    for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$SEARCH_RES" = 1 ]; then break; fi
-        if test -d "$FILE_SEARCHED"; then
-            debug "$FILE_SEARCHED is a directory"
-            # shellcheck disable=2044
-            for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
-                does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
-                if [ "$FNRET" != 0 ]; then
-                    debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
-                else
-                    ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
-                    SEARCH_RES=1
-                    break
-                fi
-            done
-        else
-            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
-            if [ "$FNRET" != 0 ]; then
-                debug "$PATTERN is not present in $FILE_SEARCHED"
-            else
-                ok "$PATTERN is present in $FILES_TO_SEARCH"
-                SEARCH_RES=1
-            fi
-        fi
-    done
-    if [ "$SEARCH_RES" = 0 ]; then
-        crit "$PATTERN is not present in $FILES_TO_SEARCH"
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    SEARCH_RES=0
-    for FILE_SEARCHED in $FILES_TO_SEARCH; do
-        if [ "$SEARCH_RES" = 1 ]; then break; fi
-        if test -d "$FILE_SEARCHED"; then
-            debug "$FILE_SEARCHED is a directory"
-            # shellcheck disable=2044
-            for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
-                does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
-                if [ "$FNRET" != 0 ]; then
-                    debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
-                else
-                    ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
-                    SEARCH_RES=1
-                    break
-                fi
-            done
-        else
-            does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
-            if [ "$FNRET" != 0 ]; then
-                debug "$PATTERN is not present in $FILE_SEARCHED"
-            else
-                ok "$PATTERN is present in $FILES_TO_SEARCH"
-                SEARCH_RES=1
-            fi
-        fi
-    done
-    if [ "$SEARCH_RES" = 0 ]; then
-        warn "$PATTERN is not present in $FILES_TO_SEARCH"
-        touch "$FILE"
-        chmod 644 "$FILE"
-        add_end_of_file "$FILE" "$PATTERN$VALUE"
-        add_end_of_file "$FILE" "readonly TMOUT"
-        add_end_of_file "$FILE" "export TMOUT"
-    else
-        ok "$PATTERN is present in $FILES_TO_SEARCH"
-    fi
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

bin/hardening/99.2.2_disable_telnet_server.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# 2.2.18 Ensure telnet server is not enabled (Scored)
+# 99.2.2 Ensure telnet server is not enabled (Scored)
 #
 
 # Note: this check is not anymore in CIS hardening but we decided to keep it anyway

bin/hardening/99.3.3.1_install_tcp_wrapper.sh

@@ -2,7 +2,7 @@
 
 # run-shellcheck
 #
-# CIS Debian Hardening
+# Legacy CIS Debian Hardening
 #
 
 #

bin/hardening/99.3.3.2_hosts_allow.sh

@@ -2,7 +2,7 @@
 
 # run-shellcheck
 #
-# CIS Debian Hardening
+# Legacy CIS Debian Hardening
 #
 
 #

bin/hardening/99.3.3.3_hosts_deny.sh

@@ -2,7 +2,7 @@
 
 # run-shellcheck
 #
-# CIS Debian Hardening
+# Legacy CIS Debian Hardening
 #
 
 #

bin/hardening/99.3.3.4_hosts_allow_permissions.sh

@@ -2,7 +2,7 @@
 
 # run-shellcheck
 #
-# CIS Debian Hardening
+# Legacy CIS Debian Hardening
 #
 
 #

bin/hardening/99.3.3.5_hosts_deny_permissions.sh

@@ -2,7 +2,7 @@
 
 # run-shellcheck
 #
-# CIS Debian Hardening
+# Legacy CIS Debian Hardening
 #
 
 #

bin/hardening/99.4.0_enable_auditd_kernel.sh

@@ -2,11 +2,11 @@
 
 # run-shellcheck
 #
-# CIS Debian Hardening
+# CIS Debian Hardening Bonus Check
 #
 
 #
-# 8.0 Ensure CONFIG_AUDIT is enabled in your running kernel
+# 99.4.0 Ensure CONFIG_AUDIT is enabled in your running kernel
 #
 
 set -e # One error, it's over

bin/hardening/99.5.2.1_ssh_auth_pubk_only.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure that sshd only allows authentication through public key.
+# 99.5.2.1 Ensure that sshd only allows authentication through public key.
 #
 
 set -e # One error, it's over

bin/hardening/99.5.2.2_ssh_cry_rekey.sh

@@ -3,11 +3,11 @@
 # run-shellcheck
 
 #
-# CIS Debian 7/8 Hardening
+# Legacy CIS Debian Hardening
 #
 
 #
-# Checking rekey limit for time (6 hours) or volume (512Mio) whichever comes first.
+# 99.5.2.2 Checking rekey limit for time (6 hours) or volume (512Mio) whichever comes first.
 #
 
 set -e # One error, it's over

bin/hardening/99.5.2.3_ssh_disable_features.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Check all special features in sshd_config are disabled
+# 99.5.2.3 Check all special features in sshd_config are disabled
 #
 
 set -e # One error, it's over

bin/hardening/99.5.2.4_ssh_keys_from.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Check <from> field in ssh authorized keys files for users with login shell, and bastions IP if available.
+# 99.5.2.4 Check <from> field in ssh authorized keys files for users with login shell, and bastions IP if available.
 #
 
 set -e # One error, it is over

bin/hardening/99.5.2.5_ssh_strict_modes.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Ensure home directory and ssh sensitive files are verified (not publicly readable)  before connecting.
+# 99.5.2.5 Ensure home directory and ssh sensitive files are verified (not publicly readable)  before connecting.
 #
 
 set -e # One error, it's over

bin/hardening/99.5.2.6_ssh_sys_accept_env.sh

@@ -2,11 +2,11 @@
 
 # run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# Legacy CIS Debian Hardening
 #
 
 #
-# Restrict which user's variables are accepted by ssh daemon
+# 99.5.2.6 Restrict which user's variables are accepted by ssh daemon
 #
 
 set -e # One error, it's over

bin/hardening/99.5.2.7_ssh_sys_no_legacy.sh

@@ -1,12 +1,14 @@
 #!/bin/bash
 
 # run-shellcheck
-# CIS Debian 7 Hardening
+#
+# Legacy CIS Debian Hardening
 #
 
 #
-# Ensure that legacy services rlogin, rlogind and rcp are disabled and not installed
+# 99.5.2.7 Ensure that legacy services rlogin, rlogind and rcp are disabled and not installed
 #
+
 set -e # One error, it's over
 set -u # One variable unset, it's over
 

bin/hardening/99.5.2.8_ssh_sys_sandbox.sh

@@ -2,11 +2,11 @@
 
 # run-shellcheck
 #
-# CIS Debian 7/8 Hardening
+# Legacy CIS Debian Hardening
 #
 
 #
-# Check UsePrivilegeSeparation set to sandbox.
+# 99.5.2.8 Check UsePrivilegeSeparation set to sandbox.
 #
 
 set -e # One error, it's over

bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Check that any password that may exist in /etc/shadow is SHA512 hashed and salted
+# 99.5.4.5.1 Check that any password that may exist in /etc/shadow is SHA512 hashed and salted
 #
 
 set -e # One error, it's over

bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh

@@ -6,7 +6,7 @@
 #
 
 #
-# Check that any password that may exist in /etc/shadow is SHA512 hashed and salted
+# 99.5.4.5.2 Check that any password that may exist in /etc/shadow is SHA512 hashed and salted
 #
 
 set -e # One error, it's over

bin/hardening/99.5.9_ssh_loglevel.sh

@@ -1,98 +0,0 @@
-#!/bin/bash
-
-# run-shellcheck
-#
-# CIS Debian 7/8 Hardening
-#
-
-#
-# SSH log level is set to VERBOSE
-#
-
-set -e # One error, it's over
-set -u # One variable unset, it's over
-
-# shellcheck disable=2034
-DESCRIPTION="SSH log level is set to VERBOSE"
-# shellcheck disable=2034
-HARDENING_LEVEL=2
-
-PACKAGE='openssh-server'
-OPTIONS='LogLevel=VERBOSE'
-FILE='/etc/ssh/sshd_config'
-
-# This function will be called if the script status is on enabled / audit mode
-audit() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" != 0 ]; then
-        crit "$PACKAGE is not installed!"
-    else
-        ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
-            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
-            if [ "$FNRET" = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                crit "$PATTERN is not present in $FILE"
-            fi
-        done
-    fi
-}
-
-# This function will be called if the script status is on enabled mode
-apply() {
-    is_pkg_installed "$PACKAGE"
-    if [ "$FNRET" = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
-        crit "$PACKAGE is absent, installing it"
-        apt_install "$PACKAGE"
-    fi
-    for SSH_OPTION in $OPTIONS; do
-        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
-        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
-        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
-        does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
-        if [ "$FNRET" = 0 ]; then
-            ok "$PATTERN is present in $FILE"
-        else
-            warn "$PATTERN is not present in $FILE, adding it"
-            does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
-            if [ "$FNRET" != 0 ]; then
-                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
-            else
-                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-            fi
-            /etc/init.d/ssh reload >/dev/null 2>&1
-        fi
-    done
-}
-
-# This function will check config parameters required
-check_config() {
-    :
-}
-
-# Source Root Dir Parameter
-if [ -r /etc/default/cis-hardening ]; then
-    # shellcheck source=../../debian/default
-    . /etc/default/cis-hardening
-fi
-if [ -z "$CIS_ROOT_DIR" ]; then
-    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
-    echo "Cannot source CIS_ROOT_DIR variable, aborting."
-    exit 128
-fi
-
-# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    # shellcheck source=../../lib/main.sh
-    . "$CIS_ROOT_DIR"/lib/main.sh
-else
-    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
-    exit 128
-fi

tests/hardening/5.4.5_default_timeout.sh

@@ -7,5 +7,14 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    echo "TMOUT=600" >/etc/profile.d/CIS_99.1_timeout.sh
+
+    describe compliant
+    register_test retvalshouldbe 0
+    run compliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     # TODO fill comprehensive tests
+
+    # Cleanup
+    rm /etc/profile.d/CIS_99.1_timeout.sh
 }

tests/hardening/99.1_timeout_tty.sh

@@ -1,20 +0,0 @@
-# shellcheck shell=bash
-# run-shellcheck
-test_audit() {
-    describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
-    # shellcheck disable=2154
-    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    echo "TMOUT=600" >/etc/profile.d/CIS_99.1_timeout.sh
-
-    describe compliant
-    register_test retvalshouldbe 0
-    run compliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
-
-    # Cleanup
-    rm /etc/profile.d/CIS_99.1_timeout.sh
-}

tests/hardening/99.5.9_ssh_loglevel.sh

@@ -1,22 +0,0 @@
-# shellcheck shell=bash
-# run-shellcheck
-test_audit() {
-    describe Running on blank host
-    register_test retvalshouldbe 1
-    register_test contain "openssh-server is installed"
-    # shellcheck disable=2154
-    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    describe Correcting situation
-    # `apply` performs a service reload after each change in the config file
-    # the service needs to be started for the reload to succeed
-    service ssh start
-    # if the audit script provides "apply" option, enable and run it
-    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
-    /opt/debian-cis/bin/hardening/"${script}".sh || true
-
-    describe Checking resolved state
-    register_test retvalshouldbe 0
-    register_test contain "[ OK ] ^LogLevel[[:space:]]*VERBOSE is present in /etc/ssh/sshd_config"
-    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-}