From a0857853218f62f30753042db476b74c42ff1ed6 Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Thu, 12 Sep 2019 15:42:22 +0200 Subject: [PATCH] Renum warning banners checks 11.x to 1.7.x new file: bin/hardening/1.7.1.1_remove_os_info_motd.sh renamed: bin/hardening/11.2_remove_os_info_warning_banners.sh -> bin/hardening/1.7.1.2_remove_os_info_issue.sh new file: bin/hardening/1.7.1.3_remove_os_info_issue_net.sh new file: bin/hardening/1.7.1.4_motd_perms.sh new file: bin/hardening/1.7.1.5_etc_issue_perms.sh new file: bin/hardening/1.7.1.6_etc_issue_net_perms.sh renamed: bin/hardening/11.3_graphical_warning_banners.sh -> bin/hardening/1.7.2_graphical_warning_banners.sh deleted: bin/hardening/11.1_warning_banners.sh renamed: tests/hardening/11.3_graphical_warning_banners.sh -> tests/hardening/1.7.1.1_remove_os_info_motd.sh renamed: tests/hardening/11.2_remove_os_info_warning_banners.sh -> tests/hardening/1.7.1.2_remove_os_info_issue.sh renamed: tests/hardening/11.1_warning_banners.sh -> tests/hardening/1.7.1.3_remove_os_info_issue_net.sh new file: tests/hardening/1.7.1.4_warning_banners.sh new file: tests/hardening/1.7.2_graphical_warning_banners.sh --- bin/hardening/1.7.1.1_remove_os_info_motd.sh | 62 +++++++++++++ ...ers.sh => 1.7.1.2_remove_os_info_issue.sh} | 34 +++---- .../1.7.1.3_remove_os_info_issue_net.sh | 62 +++++++++++++ bin/hardening/1.7.1.4_motd_perms.sh | 87 ++++++++++++++++++ bin/hardening/1.7.1.5_etc_issue_perms.sh | 87 ++++++++++++++++++ bin/hardening/1.7.1.6_etc_issue_net_perms.sh | 87 ++++++++++++++++++ ....sh => 1.7.2_graphical_warning_banners.sh} | 2 +- bin/hardening/11.1_warning_banners.sh | 91 ------------------- ...ners.sh => 1.7.1.1_remove_os_info_motd.sh} | 0 ...ers.sh => 1.7.1.2_remove_os_info_issue.sh} | 0 ...sh => 1.7.1.3_remove_os_info_issue_net.sh} | 0 tests/hardening/1.7.1.4_warning_banners.sh | 10 ++ .../1.7.2_graphical_warning_banners.sh | 10 ++ 13 files changed, 421 insertions(+), 111 deletions(-) create mode 100755 bin/hardening/1.7.1.1_remove_os_info_motd.sh rename bin/hardening/{11.2_remove_os_info_warning_banners.sh => 1.7.1.2_remove_os_info_issue.sh} (64%) create mode 100755 bin/hardening/1.7.1.3_remove_os_info_issue_net.sh create mode 100755 bin/hardening/1.7.1.4_motd_perms.sh create mode 100755 bin/hardening/1.7.1.5_etc_issue_perms.sh create mode 100755 bin/hardening/1.7.1.6_etc_issue_net_perms.sh rename bin/hardening/{11.3_graphical_warning_banners.sh => 1.7.2_graphical_warning_banners.sh} (95%) delete mode 100755 bin/hardening/11.1_warning_banners.sh rename tests/hardening/{11.1_warning_banners.sh => 1.7.1.1_remove_os_info_motd.sh} (100%) rename tests/hardening/{11.2_remove_os_info_warning_banners.sh => 1.7.1.2_remove_os_info_issue.sh} (100%) rename tests/hardening/{11.3_graphical_warning_banners.sh => 1.7.1.3_remove_os_info_issue_net.sh} (100%) create mode 100644 tests/hardening/1.7.1.4_warning_banners.sh create mode 100644 tests/hardening/1.7.2_graphical_warning_banners.sh diff --git a/bin/hardening/1.7.1.1_remove_os_info_motd.sh b/bin/hardening/1.7.1.1_remove_os_info_motd.sh new file mode 100755 index 0000000..5de063d --- /dev/null +++ b/bin/hardening/1.7.1.1_remove_os_info_motd.sh @@ -0,0 +1,62 @@ +#!/bin/bash + +# +# CIS Debian Hardening +# + +# +# 1.7.1.1 Ensure message of the day is configured properly (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=3 +DESCRIPTION="Remove OS information from motd" + +FILE='/etc/motd' +PATTERN='(\\v|\\r|\\m|\\s)' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + crit "$PATTERN is present in $FILE" + else + ok "$PATTERN is not present in $FILE" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + warn "$PATTERN is present in $FILE" + delete_line_in_file $FILE $PATTERN + else + ok "$PATTERN is not present in $FILE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/11.2_remove_os_info_warning_banners.sh b/bin/hardening/1.7.1.2_remove_os_info_issue.sh similarity index 64% rename from bin/hardening/11.2_remove_os_info_warning_banners.sh rename to bin/hardening/1.7.1.2_remove_os_info_issue.sh index 727a5f6..c39760a 100755 --- a/bin/hardening/11.2_remove_os_info_warning_banners.sh +++ b/bin/hardening/1.7.1.2_remove_os_info_issue.sh @@ -5,7 +5,7 @@ # # -# 11.2 Remove OS Information from Login Warning Banners (Scored) +# 1.7.1.2 Ensure local login warning banner is configured properly (Scored) # set -e # One error, it's over @@ -14,32 +14,28 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 DESCRIPTION="Remove OS information from Login Warning Banners." -FILES='/etc/motd /etc/issue /etc/issue.net' +FILE='/etc/issue' PATTERN='(\\v|\\r|\\m|\\s)' # This function will be called if the script status is on enabled / audit mode audit () { - for FILE in $FILES; do - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - crit "$PATTERN is present in $FILE" - else - ok "$PATTERN is not present in $FILE" - fi - done + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + crit "$PATTERN is present in $FILE" + else + ok "$PATTERN is not present in $FILE" + fi } # This function will be called if the script status is on enabled mode apply () { - for FILE in $FILES; do - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - warn "$PATTERN is present in $FILE" - delete_line_in_file $FILE $PATTERN - else - ok "$PATTERN is not present in $FILE" - fi - done + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + warn "$PATTERN is present in $FILE" + delete_line_in_file $FILE $PATTERN + else + ok "$PATTERN is not present in $FILE" + fi } # This function will check config parameters required diff --git a/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh b/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh new file mode 100755 index 0000000..832573e --- /dev/null +++ b/bin/hardening/1.7.1.3_remove_os_info_issue_net.sh @@ -0,0 +1,62 @@ +#!/bin/bash + +# +# CIS Debian Hardening +# + +# +# 1.7.1.3 Ensure remote login warning banner is configured properly (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=3 +DESCRIPTION="Remove OS information from remote Login Warning Banners." + +FILE='/etc/issue.net' +PATTERN='(\\v|\\r|\\m|\\s)' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + crit "$PATTERN is present in $FILE" + else + ok "$PATTERN is not present in $FILE" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + warn "$PATTERN is present in $FILE" + delete_line_in_file $FILE $PATTERN + else + ok "$PATTERN is not present in $FILE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.7.1.4_motd_perms.sh b/bin/hardening/1.7.1.4_motd_perms.sh new file mode 100755 index 0000000..2a97d83 --- /dev/null +++ b/bin/hardening/1.7.1.4_motd_perms.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian Hardening +# + +# +# 1.7.1.4 Ensure permissions on /etc/motd are configured (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=3 +DESCRIPTION="Checking root ownership and 644 permissions on banner files : /etc/motd|issue|issue.net ." + +PERMISSIONS='644' +USER='root' +GROUP='root' +FILE='/etc/motd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + continue + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.7.1.5_etc_issue_perms.sh b/bin/hardening/1.7.1.5_etc_issue_perms.sh new file mode 100755 index 0000000..9b6c36b --- /dev/null +++ b/bin/hardening/1.7.1.5_etc_issue_perms.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian Hardening +# + +# +# 1.7.1.4 Ensure permissions on /etc/issue are configured (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=3 +DESCRIPTION="Checking root ownership and 644 permissions on banner files : /etc/motd|issue|issue.net ." + +PERMISSIONS='644' +USER='root' +GROUP='root' +FILE='/etc/issue' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + continue + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/1.7.1.6_etc_issue_net_perms.sh b/bin/hardening/1.7.1.6_etc_issue_net_perms.sh new file mode 100755 index 0000000..265b554 --- /dev/null +++ b/bin/hardening/1.7.1.6_etc_issue_net_perms.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian Hardening +# + +# +# 1.7.1.4 Ensure permissions on /etc/issue.net are configured (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=3 +DESCRIPTION="Checking root ownership and 644 permissions on banner files : /etc/motd|issue|issue.net ." + +PERMISSIONS='644' +USER='root' +GROUP='root' +FILE='/etc/issue.net' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + continue + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE permissions were not set to $PERMISSIONS" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/11.3_graphical_warning_banners.sh b/bin/hardening/1.7.2_graphical_warning_banners.sh similarity index 95% rename from bin/hardening/11.3_graphical_warning_banners.sh rename to bin/hardening/1.7.2_graphical_warning_banners.sh index e2d0440..779f3df 100755 --- a/bin/hardening/11.3_graphical_warning_banners.sh +++ b/bin/hardening/1.7.2_graphical_warning_banners.sh @@ -5,7 +5,7 @@ # # -# 11.3 Set Graphical Warning Banner (Not Scored) +# 1.7.2 Ensure GDM login banner is configured (Scored) # set -e # One error, it's over diff --git a/bin/hardening/11.1_warning_banners.sh b/bin/hardening/11.1_warning_banners.sh deleted file mode 100755 index 7bdee76..0000000 --- a/bin/hardening/11.1_warning_banners.sh +++ /dev/null @@ -1,91 +0,0 @@ -#!/bin/bash - -# -# CIS Debian Hardening -# - -# -# 11.1 Set Warning Banner for Standard Login Services (Scored) -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=3 -DESCRIPTION="Checking root ownership and 644 permissions on banner files : /etc/motd|issue|issue.net ." - -PERMISSIONS='644' -USER='root' -GROUP='root' -FILES='/etc/motd /etc/issue /etc/issue.net' - -# This function will be called if the script status is on enabled / audit mode -audit () { - for FILE in $FILES; do - does_file_exist $FILE - if [ $FNRET != 0 ]; then - crit "$FILE does not exist" - continue - fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then - ok "$FILE has correct ownership" - else - crit "$FILE ownership was not set to $USER:$GROUP" - fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then - ok "$FILE has correct permissions" - else - crit "$FILE permissions were not set to $PERMISSIONS" - fi - done -} - -# This function will be called if the script status is on enabled mode -apply () { - for FILE in $FILES; do - does_file_exist $FILE - if [ $FNRET != 0 ]; then - info "$FILE does not exist" - touch $FILE - fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then - ok "$FILE has correct ownership" - else - warn "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE - fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then - ok "$FILE has correct permissions" - else - info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE - fi - done -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/tests/hardening/11.1_warning_banners.sh b/tests/hardening/1.7.1.1_remove_os_info_motd.sh similarity index 100% rename from tests/hardening/11.1_warning_banners.sh rename to tests/hardening/1.7.1.1_remove_os_info_motd.sh diff --git a/tests/hardening/11.2_remove_os_info_warning_banners.sh b/tests/hardening/1.7.1.2_remove_os_info_issue.sh similarity index 100% rename from tests/hardening/11.2_remove_os_info_warning_banners.sh rename to tests/hardening/1.7.1.2_remove_os_info_issue.sh diff --git a/tests/hardening/11.3_graphical_warning_banners.sh b/tests/hardening/1.7.1.3_remove_os_info_issue_net.sh similarity index 100% rename from tests/hardening/11.3_graphical_warning_banners.sh rename to tests/hardening/1.7.1.3_remove_os_info_issue_net.sh diff --git a/tests/hardening/1.7.1.4_warning_banners.sh b/tests/hardening/1.7.1.4_warning_banners.sh new file mode 100644 index 0000000..b333419 --- /dev/null +++ b/tests/hardening/1.7.1.4_warning_banners.sh @@ -0,0 +1,10 @@ +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +} diff --git a/tests/hardening/1.7.2_graphical_warning_banners.sh b/tests/hardening/1.7.2_graphical_warning_banners.sh new file mode 100644 index 0000000..b333419 --- /dev/null +++ b/tests/hardening/1.7.2_graphical_warning_banners.sh @@ -0,0 +1,10 @@ +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +}