mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-25 23:11:24 +01:00
Renum 99.x files to comply with debian10 CIS
This commit is contained in:
parent
87e242a42d
commit
9cbc3f85a9
@ -6,25 +6,93 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
|
# 5.4.4 Ensure default usershell timeout is 900 seconds or less
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
HARDENING_LEVEL=3
|
USER='root'
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Configure the default user shell timeout."
|
DESCRIPTION="Timeout 600 seconds on tty."
|
||||||
|
|
||||||
|
PATTERN='TMOUT='
|
||||||
|
VALUE='600'
|
||||||
|
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile'
|
||||||
|
FILE='/etc/profile.d/CIS_99.1_timeout.sh'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
:
|
SEARCH_RES=0
|
||||||
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
if [ "$SEARCH_RES" = 1 ]; then break; fi
|
||||||
|
if test -d "$FILE_SEARCHED"; then
|
||||||
|
debug "$FILE_SEARCHED is a directory"
|
||||||
|
# shellcheck disable=2044
|
||||||
|
for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
|
||||||
|
does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
SEARCH_RES=1
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
crit "$PATTERN is not present in $FILES_TO_SEARCH"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
:
|
SEARCH_RES=0
|
||||||
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
if [ "$SEARCH_RES" = 1 ]; then break; fi
|
||||||
|
if test -d "$FILE_SEARCHED"; then
|
||||||
|
debug "$FILE_SEARCHED is a directory"
|
||||||
|
# shellcheck disable=2044
|
||||||
|
for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
|
||||||
|
SEARCH_RES=1
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$PATTERN is not present in $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
warn "$PATTERN is not present in $FILES_TO_SEARCH"
|
||||||
|
touch "$FILE"
|
||||||
|
chmod 644 "$FILE"
|
||||||
|
add_end_of_file "$FILE" "$PATTERN$VALUE"
|
||||||
|
add_end_of_file "$FILE" "readonly TMOUT"
|
||||||
|
add_end_of_file "$FILE" "export TMOUT"
|
||||||
|
else
|
||||||
|
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -2,11 +2,11 @@
|
|||||||
|
|
||||||
# run-shellcheck
|
# run-shellcheck
|
||||||
#
|
#
|
||||||
# CIS Debian Hardening /!\ Not in the Guide
|
# CIS Debian Hardening Bonus Check
|
||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 99.2 Disable USB Devices
|
# 99.1.1.23 Disable USB Devices
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -6,7 +6,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# Checks there are no carte-blanche authorization in sudoers file(s).
|
# 99.1.3 Checks there are no carte-blanche authorization in sudoers file(s).
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -1,121 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# run-shellcheck
|
|
||||||
#
|
|
||||||
# CIS Debian Hardening /!\ Not in the Guide
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# 99.1 Set Timeout on ttys
|
|
||||||
#
|
|
||||||
|
|
||||||
set -e # One error, it's over
|
|
||||||
set -u # One variable unset, it's over
|
|
||||||
|
|
||||||
# shellcheck disable=2034
|
|
||||||
USER='root'
|
|
||||||
# shellcheck disable=2034
|
|
||||||
DESCRIPTION="Timeout 600 seconds on tty."
|
|
||||||
|
|
||||||
PATTERN='TMOUT='
|
|
||||||
VALUE='600'
|
|
||||||
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile'
|
|
||||||
FILE='/etc/profile.d/CIS_99.1_timeout.sh'
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
|
||||||
audit() {
|
|
||||||
SEARCH_RES=0
|
|
||||||
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
|
||||||
if [ "$SEARCH_RES" = 1 ]; then break; fi
|
|
||||||
if test -d "$FILE_SEARCHED"; then
|
|
||||||
debug "$FILE_SEARCHED is a directory"
|
|
||||||
# shellcheck disable=2044
|
|
||||||
for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
|
|
||||||
does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
|
|
||||||
if [ "$FNRET" != 0 ]; then
|
|
||||||
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
|
|
||||||
else
|
|
||||||
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
|
|
||||||
SEARCH_RES=1
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
else
|
|
||||||
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
|
|
||||||
if [ "$FNRET" != 0 ]; then
|
|
||||||
debug "$PATTERN is not present in $FILE_SEARCHED"
|
|
||||||
else
|
|
||||||
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
|
||||||
SEARCH_RES=1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
if [ "$SEARCH_RES" = 0 ]; then
|
|
||||||
crit "$PATTERN is not present in $FILES_TO_SEARCH"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
|
||||||
apply() {
|
|
||||||
SEARCH_RES=0
|
|
||||||
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
|
||||||
if [ "$SEARCH_RES" = 1 ]; then break; fi
|
|
||||||
if test -d "$FILE_SEARCHED"; then
|
|
||||||
debug "$FILE_SEARCHED is a directory"
|
|
||||||
# shellcheck disable=2044
|
|
||||||
for file_in_dir in $(find "$FILE_SEARCHED" -type f); do
|
|
||||||
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
|
|
||||||
if [ "$FNRET" != 0 ]; then
|
|
||||||
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
|
|
||||||
else
|
|
||||||
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
|
|
||||||
SEARCH_RES=1
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
else
|
|
||||||
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
|
|
||||||
if [ "$FNRET" != 0 ]; then
|
|
||||||
debug "$PATTERN is not present in $FILE_SEARCHED"
|
|
||||||
else
|
|
||||||
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
|
||||||
SEARCH_RES=1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
if [ "$SEARCH_RES" = 0 ]; then
|
|
||||||
warn "$PATTERN is not present in $FILES_TO_SEARCH"
|
|
||||||
touch "$FILE"
|
|
||||||
chmod 644 "$FILE"
|
|
||||||
add_end_of_file "$FILE" "$PATTERN$VALUE"
|
|
||||||
add_end_of_file "$FILE" "readonly TMOUT"
|
|
||||||
add_end_of_file "$FILE" "export TMOUT"
|
|
||||||
else
|
|
||||||
ok "$PATTERN is present in $FILES_TO_SEARCH"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# This function will check config parameters required
|
|
||||||
check_config() {
|
|
||||||
:
|
|
||||||
}
|
|
||||||
|
|
||||||
# Source Root Dir Parameter
|
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
|
||||||
# shellcheck source=../../debian/default
|
|
||||||
. /etc/default/cis-hardening
|
|
||||||
fi
|
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
|
||||||
exit 128
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
|
||||||
# shellcheck source=../../lib/main.sh
|
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
|
||||||
else
|
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
|
||||||
exit 128
|
|
||||||
fi
|
|
@ -6,7 +6,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 2.2.18 Ensure telnet server is not enabled (Scored)
|
# 99.2.2 Ensure telnet server is not enabled (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
# Note: this check is not anymore in CIS hardening but we decided to keep it anyway
|
# Note: this check is not anymore in CIS hardening but we decided to keep it anyway
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
# run-shellcheck
|
# run-shellcheck
|
||||||
#
|
#
|
||||||
# CIS Debian Hardening
|
# Legacy CIS Debian Hardening
|
||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
# run-shellcheck
|
# run-shellcheck
|
||||||
#
|
#
|
||||||
# CIS Debian Hardening
|
# Legacy CIS Debian Hardening
|
||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
# run-shellcheck
|
# run-shellcheck
|
||||||
#
|
#
|
||||||
# CIS Debian Hardening
|
# Legacy CIS Debian Hardening
|
||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
# run-shellcheck
|
# run-shellcheck
|
||||||
#
|
#
|
||||||
# CIS Debian Hardening
|
# Legacy CIS Debian Hardening
|
||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
# run-shellcheck
|
# run-shellcheck
|
||||||
#
|
#
|
||||||
# CIS Debian Hardening
|
# Legacy CIS Debian Hardening
|
||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -2,11 +2,11 @@
|
|||||||
|
|
||||||
# run-shellcheck
|
# run-shellcheck
|
||||||
#
|
#
|
||||||
# CIS Debian Hardening
|
# CIS Debian Hardening Bonus Check
|
||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 8.0 Ensure CONFIG_AUDIT is enabled in your running kernel
|
# 99.4.0 Ensure CONFIG_AUDIT is enabled in your running kernel
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# Ensure that sshd only allows authentication through public key.
|
# 99.5.2.1 Ensure that sshd only allows authentication through public key.
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -3,11 +3,11 @@
|
|||||||
# run-shellcheck
|
# run-shellcheck
|
||||||
|
|
||||||
#
|
#
|
||||||
# CIS Debian 7/8 Hardening
|
# Legacy CIS Debian Hardening
|
||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# Checking rekey limit for time (6 hours) or volume (512Mio) whichever comes first.
|
# 99.5.2.2 Checking rekey limit for time (6 hours) or volume (512Mio) whichever comes first.
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -6,7 +6,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# Check all special features in sshd_config are disabled
|
# 99.5.2.3 Check all special features in sshd_config are disabled
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -6,7 +6,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# Check <from> field in ssh authorized keys files for users with login shell, and bastions IP if available.
|
# 99.5.2.4 Check <from> field in ssh authorized keys files for users with login shell, and bastions IP if available.
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it is over
|
set -e # One error, it is over
|
@ -6,7 +6,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# Ensure home directory and ssh sensitive files are verified (not publicly readable) before connecting.
|
# 99.5.2.5 Ensure home directory and ssh sensitive files are verified (not publicly readable) before connecting.
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -2,11 +2,11 @@
|
|||||||
|
|
||||||
# run-shellcheck
|
# run-shellcheck
|
||||||
#
|
#
|
||||||
# CIS Debian 7/8 Hardening
|
# Legacy CIS Debian Hardening
|
||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# Restrict which user's variables are accepted by ssh daemon
|
# 99.5.2.6 Restrict which user's variables are accepted by ssh daemon
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -1,12 +1,14 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# run-shellcheck
|
# run-shellcheck
|
||||||
# CIS Debian 7 Hardening
|
#
|
||||||
|
# Legacy CIS Debian Hardening
|
||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# Ensure that legacy services rlogin, rlogind and rcp are disabled and not installed
|
# 99.5.2.7 Ensure that legacy services rlogin, rlogind and rcp are disabled and not installed
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
@ -2,11 +2,11 @@
|
|||||||
|
|
||||||
# run-shellcheck
|
# run-shellcheck
|
||||||
#
|
#
|
||||||
# CIS Debian 7/8 Hardening
|
# Legacy CIS Debian Hardening
|
||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# Check UsePrivilegeSeparation set to sandbox.
|
# 99.5.2.8 Check UsePrivilegeSeparation set to sandbox.
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -6,7 +6,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# Check that any password that may exist in /etc/shadow is SHA512 hashed and salted
|
# 99.5.4.5.1 Check that any password that may exist in /etc/shadow is SHA512 hashed and salted
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -6,7 +6,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# Check that any password that may exist in /etc/shadow is SHA512 hashed and salted
|
# 99.5.4.5.2 Check that any password that may exist in /etc/shadow is SHA512 hashed and salted
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -1,98 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# run-shellcheck
|
|
||||||
#
|
|
||||||
# CIS Debian 7/8 Hardening
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# SSH log level is set to VERBOSE
|
|
||||||
#
|
|
||||||
|
|
||||||
set -e # One error, it's over
|
|
||||||
set -u # One variable unset, it's over
|
|
||||||
|
|
||||||
# shellcheck disable=2034
|
|
||||||
DESCRIPTION="SSH log level is set to VERBOSE"
|
|
||||||
# shellcheck disable=2034
|
|
||||||
HARDENING_LEVEL=2
|
|
||||||
|
|
||||||
PACKAGE='openssh-server'
|
|
||||||
OPTIONS='LogLevel=VERBOSE'
|
|
||||||
FILE='/etc/ssh/sshd_config'
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
|
||||||
audit() {
|
|
||||||
is_pkg_installed "$PACKAGE"
|
|
||||||
if [ "$FNRET" != 0 ]; then
|
|
||||||
crit "$PACKAGE is not installed!"
|
|
||||||
else
|
|
||||||
ok "$PACKAGE is installed"
|
|
||||||
for SSH_OPTION in $OPTIONS; do
|
|
||||||
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
|
|
||||||
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
|
|
||||||
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
|
|
||||||
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
|
|
||||||
if [ "$FNRET" = 0 ]; then
|
|
||||||
ok "$PATTERN is present in $FILE"
|
|
||||||
else
|
|
||||||
crit "$PATTERN is not present in $FILE"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
|
||||||
apply() {
|
|
||||||
is_pkg_installed "$PACKAGE"
|
|
||||||
if [ "$FNRET" = 0 ]; then
|
|
||||||
ok "$PACKAGE is installed"
|
|
||||||
else
|
|
||||||
crit "$PACKAGE is absent, installing it"
|
|
||||||
apt_install "$PACKAGE"
|
|
||||||
fi
|
|
||||||
for SSH_OPTION in $OPTIONS; do
|
|
||||||
SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
|
|
||||||
SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
|
|
||||||
PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
|
|
||||||
does_pattern_exist_in_file_nocase "$FILE" "$PATTERN"
|
|
||||||
if [ "$FNRET" = 0 ]; then
|
|
||||||
ok "$PATTERN is present in $FILE"
|
|
||||||
else
|
|
||||||
warn "$PATTERN is not present in $FILE, adding it"
|
|
||||||
does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}"
|
|
||||||
if [ "$FNRET" != 0 ]; then
|
|
||||||
add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
|
|
||||||
else
|
|
||||||
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
|
|
||||||
replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
|
|
||||||
fi
|
|
||||||
/etc/init.d/ssh reload >/dev/null 2>&1
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
# This function will check config parameters required
|
|
||||||
check_config() {
|
|
||||||
:
|
|
||||||
}
|
|
||||||
|
|
||||||
# Source Root Dir Parameter
|
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
|
||||||
# shellcheck source=../../debian/default
|
|
||||||
. /etc/default/cis-hardening
|
|
||||||
fi
|
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
|
||||||
exit 128
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
|
||||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
|
||||||
# shellcheck source=../../lib/main.sh
|
|
||||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
|
||||||
else
|
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
|
||||||
exit 128
|
|
||||||
fi
|
|
@ -7,5 +7,14 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
echo "TMOUT=600" >/etc/profile.d/CIS_99.1_timeout.sh
|
||||||
|
|
||||||
|
describe compliant
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
run compliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
# TODO fill comprehensive tests
|
||||||
|
|
||||||
|
# Cleanup
|
||||||
|
rm /etc/profile.d/CIS_99.1_timeout.sh
|
||||||
}
|
}
|
||||||
|
@ -1,20 +0,0 @@
|
|||||||
# shellcheck shell=bash
|
|
||||||
# run-shellcheck
|
|
||||||
test_audit() {
|
|
||||||
describe Running on blank host
|
|
||||||
register_test retvalshouldbe 0
|
|
||||||
dismiss_count_for_test
|
|
||||||
# shellcheck disable=2154
|
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
|
||||||
|
|
||||||
echo "TMOUT=600" >/etc/profile.d/CIS_99.1_timeout.sh
|
|
||||||
|
|
||||||
describe compliant
|
|
||||||
register_test retvalshouldbe 0
|
|
||||||
run compliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
|
||||||
|
|
||||||
# Cleanup
|
|
||||||
rm /etc/profile.d/CIS_99.1_timeout.sh
|
|
||||||
}
|
|
@ -1,22 +0,0 @@
|
|||||||
# shellcheck shell=bash
|
|
||||||
# run-shellcheck
|
|
||||||
test_audit() {
|
|
||||||
describe Running on blank host
|
|
||||||
register_test retvalshouldbe 1
|
|
||||||
register_test contain "openssh-server is installed"
|
|
||||||
# shellcheck disable=2154
|
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
|
||||||
|
|
||||||
describe Correcting situation
|
|
||||||
# `apply` performs a service reload after each change in the config file
|
|
||||||
# the service needs to be started for the reload to succeed
|
|
||||||
service ssh start
|
|
||||||
# if the audit script provides "apply" option, enable and run it
|
|
||||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
|
||||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
|
||||||
|
|
||||||
describe Checking resolved state
|
|
||||||
register_test retvalshouldbe 0
|
|
||||||
register_test contain "[ OK ] ^LogLevel[[:space:]]*VERBOSE is present in /etc/ssh/sshd_config"
|
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user