From 9e6c9a0d8a1ec62865e27b44791db0be35f62648 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Tue, 27 Apr 2021 16:04:13 +0200 Subject: [PATCH] Accept lower values (#95) * IMP(5.2.23): accept lower value as valid * IMP(5.2.7): accept lower value as valid --- .../5.2.23_limit_ssh_max_sessions.sh | 21 ++++++++++++++--- bin/hardening/5.2.7_sshd_maxauthtries.sh | 23 +++++++++++++++---- .../5.2.23_limit_ssh_max_sessions.sh | 16 +++++++++++++ tests/hardening/5.2.7_sshd_maxauthtries.sh | 16 +++++++++++++ 4 files changed, 69 insertions(+), 7 deletions(-) diff --git a/bin/hardening/5.2.23_limit_ssh_max_sessions.sh b/bin/hardening/5.2.23_limit_ssh_max_sessions.sh index ae18ac1..7a0c94f 100755 --- a/bin/hardening/5.2.23_limit_ssh_max_sessions.sh +++ b/bin/hardening/5.2.23_limit_ssh_max_sessions.sh @@ -36,7 +36,17 @@ audit() { if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else - crit "$PATTERN is not present in $FILE" + does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}" + if [ "$FNRET" != 0 ]; then + crit "$PATTERN is not present in $FILE" + else + VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2) + if [ "$VALUE" -gt "$SSH_VALUE" ]; then + crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM" + else + ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM" + fi + fi fi done fi @@ -64,8 +74,13 @@ apply() { if [ "$FNRET" != 0 ]; then add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2) + if [ "$VALUE" -gt "$SSH_VALUE" ]; then + warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + else + ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM" + fi fi /etc/init.d/ssh reload fi diff --git a/bin/hardening/5.2.7_sshd_maxauthtries.sh b/bin/hardening/5.2.7_sshd_maxauthtries.sh index 3dd4f6d..3d43324 100755 --- a/bin/hardening/5.2.7_sshd_maxauthtries.sh +++ b/bin/hardening/5.2.7_sshd_maxauthtries.sh @@ -36,7 +36,17 @@ audit() { if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else - crit "$PATTERN is not present in $FILE" + does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}" + if [ "$FNRET" != 0 ]; then + crit "$PATTERN is not present in $FILE" + else + VALUE=$($SUDO_CMD grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2) + if [ "$VALUE" -gt "$SSH_VALUE" ]; then + crit "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM" + else + ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM" + fi + fi fi done fi @@ -59,13 +69,18 @@ apply() { if [ "$FNRET" = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN is not present in $FILE, adding it" + warn "$PATTERN is not present in $FILE" does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}" if [ "$FNRET" != 0 ]; then add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + VALUE=$(grep -i "^${SSH_PARAM}" "$FILE" | tr -s ' ' | cut -d' ' -f2) + if [ "$VALUE" -gt "$SSH_VALUE" ]; then + warn "$VALUE is higher than recommended $SSH_VALUE for $SSH_PARAM, replacing it" + replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + else + ok "$VALUE is lower than recommended $SSH_VALUE for $SSH_PARAM" + fi fi /etc/init.d/ssh reload fi diff --git a/tests/hardening/5.2.23_limit_ssh_max_sessions.sh b/tests/hardening/5.2.23_limit_ssh_max_sessions.sh index e2aebe0..08b1443 100644 --- a/tests/hardening/5.2.23_limit_ssh_max_sessions.sh +++ b/tests/hardening/5.2.23_limit_ssh_max_sessions.sh @@ -7,6 +7,22 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + echo "maxsessions 1" >>/etc/ssh/sshd_config + + describe Running restrictive + register_test retvalshouldbe 0 + register_test contain "[ OK ] 1 is lower than recommended 10" + run restrictive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # delete last line + sed -i '$ d' /etc/ssh/sshd_config + echo "maxsessions 15" >>/etc/ssh/sshd_config + + describe Running too permissive + register_test retvalshouldbe 1 + register_test contain "[ KO ] 15 is higher than recommended 10" + run permissive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Correcting situation # `apply` performs a service reload after each change in the config file # the service needs to be started for the reload to succeed diff --git a/tests/hardening/5.2.7_sshd_maxauthtries.sh b/tests/hardening/5.2.7_sshd_maxauthtries.sh index ba28645..4361481 100644 --- a/tests/hardening/5.2.7_sshd_maxauthtries.sh +++ b/tests/hardening/5.2.7_sshd_maxauthtries.sh @@ -7,6 +7,22 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + echo "MaxAuthTries 2" >>/etc/ssh/sshd_config + + describe Running restrictive + register_test retvalshouldbe 0 + register_test contain "[ OK ] 2 is lower than recommended 4" + run restrictive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # delete last line + sed -i '$ d' /etc/ssh/sshd_config + echo "MaxAuthTries 6" >>/etc/ssh/sshd_config + + describe Running too permissive + register_test retvalshouldbe 1 + register_test contain "[ KO ] 6 is higher than recommended 4" + run permissive /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Correcting situation # `apply` performs a service reload after each change in the config file # the service needs to be started for the reload to succeed