5.1.5_disable_talk_client.sh 5.1.6_disable_telnet_server.sh 5.1.7_disable_tftp_server.sh 5.1.8_disable_inetd.sh 5.2_disable_chargen.sh 5.3_disable_daytime.sh 5.4_disable_echo.sh 5.5_disable_discard.sh 5.6_disable_time.sh 6.1_disable_xwindow_system.sh

This commit is contained in:
thibault.dewailly 2016-04-12 08:31:41 +02:00
parent 1e8d90198d
commit 9ee7b646bf
25 changed files with 787 additions and 74 deletions

View File

@ -5,7 +5,7 @@
# #
# #
# Hardening script skeleton replace this line with proper point treated # 2.17 Set Sticky Bit on All World-Writable Directories (Scored)
# #
set -e # One error, it's over set -e # One error, it's over

View File

@ -5,7 +5,7 @@
# #
# #
# Hardening script skeleton replace this line with proper point treated # 3.4 Require Authentication for Single-User Mode (Scored)
# #
set -e # One error, it's over set -e # One error, it's over

View File

@ -11,12 +11,13 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
PACKAGE='rsh-server' PACKAGES='rsh-server rsh-redone-server'
FILE='/etc/inetd.conf' FILE='/etc/inetd.conf'
PATTERN='^(shell|login|exec)' PATTERN='^(shell|login|exec)'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration" warn "$PACKAGE is installed, checking configuration"
@ -34,11 +35,12 @@ audit () {
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
: done
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
@ -61,6 +63,7 @@ apply () {
ok "$PATTERN not present in $FILE" ok "$PATTERN not present in $FILE"
fi fi
fi fi
done
} }
# This function will check config parameters required # This function will check config parameters required

View File

@ -5,18 +5,19 @@
# #
# #
# 5.1.2 Ensure rsh server is not enabled (Scored) # 5.1.4 Ensure talk server is not enabled (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
PACKAGE='inetutils-talk' PACKAGES='inetutils-talkd talkd'
FILE='/etc/inetd.conf' FILE='/etc/inetd.conf'
PATTERN='^(talk|ntalk)' PATTERN='^(talk|ntalk)'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration" warn "$PACKAGE is installed, checking configuration"
@ -34,11 +35,12 @@ audit () {
else else
ok "$PACKAGE is absent" ok "$PACKAGE is absent"
fi fi
: done
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it" crit "$PACKAGE is installed, purging it"
@ -61,6 +63,7 @@ apply () {
ok "$PATTERN not present in $FILE" ok "$PATTERN not present in $FILE"
fi fi
fi fi
done
} }
# This function will check config parameters required # This function will check config parameters required

View File

@ -0,0 +1,58 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.1.5 Ensure talk client is not installed (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGES='talk inetutils-talk'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,86 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.1.6 Ensure telnet server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGES='telnetd inetutils-telnetd telnetd-ssl'
FILE='/etc/inetd.conf'
PATTERN='^telnet'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled !"
else
ok "$PATTERN not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN not present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,87 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.1.7 Ensure tftp-server is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGES='tftpd tftpd-hpa atftpd'
FILE='/etc/inetd.conf'
PATTERN='^tftp'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, checking configuration"
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled !"
else
ok "$PATTERN not present in $FILE"
fi
fi
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
else
ok "$PACKAGE is absent"
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
echo "coucou"
else
ok "$PATTERN not present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,58 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.1.8 Ensure xinetd is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGES='openbsd-inetd xinetd rlinetd'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
warn "$PACKAGE is installed, purging"
apt-get purge $PACKAGE -y
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,68 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.2 Ensure chargen is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/inetd.conf'
PATTERN='^chargen'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen services are enabled !"
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,68 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.3 Ensure daytime is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/inetd.conf'
PATTERN='^daytime'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen services are enabled !"
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,68 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.4 Ensure echo is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/inetd.conf'
PATTERN='^echo'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen services are enabled !"
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,68 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.5 Ensure discard is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/inetd.conf'
PATTERN='^discard'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen services are enabled !"
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,68 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 5.6 Ensure time is not enabled (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
FILE='/etc/inetd.conf'
PATTERN='^time'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen services are enabled !"
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
ok "$FILE does not exist"
else
info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it"
backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else
ok "$PATTERN not present in $FILE"
fi
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -0,0 +1,58 @@
#!/bin/bash
#
# CIS Debian 7 Hardening
#
#
# 6.1 Ensure the X Window system is not installed (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common'
# This function will be called if the script status is on enabled / audit mode
audit () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed !"
else
ok "$PACKAGE is absent"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for PACKAGE in $PACKAGES; do
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then
crit "$PACKAGE is installed, purging it"
apt-get purge $PACKAGE -y
else
ok "$PACKAGE is absent"
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
exit 128
else
. /etc/default/cis-hardenning
if [ -z $CIS_ROOT_DIR ]; then
echo "No CIS_ROOT_DIR variable, aborting"
fi
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

View File

@ -1,2 +1,2 @@
# Configuration for script of same name # Configuration for script of same name
status=disabled status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled

View File

@ -0,0 +1,2 @@
# Configuration for script of same name
status=enabled