elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 05:27:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Renum warning banners checks 11.x to 1.7.x

Browse Source 
new file:   bin/hardening/1.7.1.1_remove_os_info_motd.sh
	renamed:    bin/hardening/11.2_remove_os_info_warning_banners.sh -> bin/hardening/1.7.1.2_remove_os_info_issue.sh
	new file:   bin/hardening/1.7.1.3_remove_os_info_issue_net.sh
	new file:   bin/hardening/1.7.1.4_motd_perms.sh
	new file:   bin/hardening/1.7.1.5_etc_issue_perms.sh
	new file:   bin/hardening/1.7.1.6_etc_issue_net_perms.sh
	renamed:    bin/hardening/11.3_graphical_warning_banners.sh -> bin/hardening/1.7.2_graphical_warning_banners.sh
	deleted:    bin/hardening/11.1_warning_banners.sh
	renamed:    tests/hardening/11.3_graphical_warning_banners.sh -> tests/hardening/1.7.1.1_remove_os_info_motd.sh
	renamed:    tests/hardening/11.2_remove_os_info_warning_banners.sh -> tests/hardening/1.7.1.2_remove_os_info_issue.sh
	renamed:    tests/hardening/11.1_warning_banners.sh -> tests/hardening/1.7.1.3_remove_os_info_issue_net.sh
	new file:   tests/hardening/1.7.1.4_warning_banners.sh
	new file:   tests/hardening/1.7.2_graphical_warning_banners.sh
This commit is contained in:
Charles Herlin 2019-09-12 15:42:22 +02:00 committed by Thibault Ayanides
parent fbb73d1953
commit a085785321
13 changed files with 421 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
bin/hardening/1.7.1.1_remove_os_info_motd.sh Executable file
View File

@ -0,0 +1,62 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 1.7.1.1 Ensure message of the day is configured properly (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Remove OS information from motd"
FILE='/etc/motd'
PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "$PATTERN is present in $FILE"
else
ok "$PATTERN is not present in $FILE"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN
else
ok "$PATTERN is not present in $FILE"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

34
bin/hardening/11.2_remove_os_info_warning_banners.sh → bin/hardening/1.7.1.2_remove_os_info_issue.sh
View File

@ -5,7 +5,7 @@
#
#
# 11.2 Remove OS Information from Login Warning Banners (Scored)
# 1.7.1.2 Ensure local login warning banner is configured properly (Scored)
#
set -e # One error, it's over
@ -14,32 +14,28 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Remove OS information from Login Warning Banners."
FILES='/etc/motd /etc/issue /etc/issue.net'
FILE='/etc/issue'
PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode
audit () {
for FILE in $FILES; do
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "$PATTERN is present in $FILE"
else
ok "$PATTERN is not present in $FILE"
fi
done
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "$PATTERN is present in $FILE"
else
ok "$PATTERN is not present in $FILE"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
for FILE in $FILES; do
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN
else
ok "$PATTERN is not present in $FILE"
fi
done
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN
else
ok "$PATTERN is not present in $FILE"
fi
}
# This function will check config parameters required

62
bin/hardening/1.7.1.3_remove_os_info_issue_net.sh Executable file
View File

@ -0,0 +1,62 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 1.7.1.3 Ensure remote login warning banner is configured properly (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Remove OS information from remote Login Warning Banners."
FILE='/etc/issue.net'
PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
crit "$PATTERN is present in $FILE"
else
ok "$PATTERN is not present in $FILE"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN
else
ok "$PATTERN is not present in $FILE"
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

87
bin/hardening/1.7.1.4_motd_perms.sh Executable file
View File

@ -0,0 +1,87 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 1.7.1.4 Ensure permissions on /etc/motd are configured (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Checking root ownership and 644 permissions on banner files : /etc/motd|issue|issue.net ."
PERMISSIONS='644'
USER='root'
GROUP='root'
FILE='/etc/motd'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
continue
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
info "$FILE does not exist"
touch $FILE
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

87
bin/hardening/1.7.1.5_etc_issue_perms.sh Executable file
View File

@ -0,0 +1,87 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 1.7.1.4 Ensure permissions on /etc/issue are configured (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Checking root ownership and 644 permissions on banner files : /etc/motd|issue|issue.net ."
PERMISSIONS='644'
USER='root'
GROUP='root'
FILE='/etc/issue'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
continue
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
info "$FILE does not exist"
touch $FILE
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

87
bin/hardening/1.7.1.6_etc_issue_net_perms.sh Executable file
View File

@ -0,0 +1,87 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 1.7.1.4 Ensure permissions on /etc/issue.net are configured (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Checking root ownership and 644 permissions on banner files : /etc/motd|issue|issue.net ."
PERMISSIONS='644'
USER='root'
GROUP='root'
FILE='/etc/issue.net'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
continue
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
does_file_exist $FILE
if [ $FNRET != 0 ]; then
info "$FILE does not exist"
touch $FILE
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

2
bin/hardening/11.3_graphical_warning_banners.sh → bin/hardening/1.7.2_graphical_warning_banners.sh
View File

@ -5,7 +5,7 @@
#
#
# 11.3 Set Graphical Warning Banner (Not Scored)
# 1.7.2 Ensure GDM login banner is configured (Scored)
#
set -e # One error, it's over

91
bin/hardening/11.1_warning_banners.sh
View File

@ -1,91 +0,0 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 11.1 Set Warning Banner for Standard Login Services (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
DESCRIPTION="Checking root ownership and 644 permissions on banner files : /etc/motd|issue|issue.net ."
PERMISSIONS='644'
USER='root'
GROUP='root'
FILES='/etc/motd /etc/issue /etc/issue.net'
# This function will be called if the script status is on enabled / audit mode
audit () {
for FILE in $FILES; do
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE does not exist"
continue
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
crit "$FILE permissions were not set to $PERMISSIONS"
fi
done
}
# This function will be called if the script status is on enabled mode
apply () {
for FILE in $FILES; do
does_file_exist $FILE
if [ $FNRET != 0 ]; then
info "$FILE does not exist"
touch $FILE
fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE has correct permissions"
else
info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
done
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

0
tests/hardening/11.1_warning_banners.sh → tests/hardening/1.7.1.1_remove_os_info_motd.sh
View File

0
tests/hardening/11.2_remove_os_info_warning_banners.sh → tests/hardening/1.7.1.2_remove_os_info_issue.sh
View File

0
tests/hardening/11.3_graphical_warning_banners.sh → tests/hardening/1.7.1.3_remove_os_info_issue_net.sh
View File

10
tests/hardening/1.7.1.4_warning_banners.sh Normal file
View File

@ -0,0 +1,10 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}

10
tests/hardening/1.7.2_graphical_warning_banners.sh Normal file
View File

@ -0,0 +1,10 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}