elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20 in IAAS/cis-hardening from dev/kevin.tanguy/rephrasingAllOver to master

Browse Source 
* commit '8bbac84f7b0023cbcf9150cc18023ba5a219501c':
  debian dependencies fix, rephrasing, revision bump 1.0-8.
This commit is contained in:
Thibault Dewailly 2016-04-26 14:57:54 +02:00
commit a986f3b340
94 changed files with 395 additions and 389 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
bin/hardening/10.1.1_set_password_exp_days.sh
View File

@ -26,7 +26,7 @@ audit () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -49,12 +49,12 @@ apply () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

8
bin/hardening/10.1.2_set_password_min_days_change.sh
View File

@ -26,7 +26,7 @@ audit () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -49,12 +49,12 @@ apply () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

8
bin/hardening/10.1.3_set_password_exp_warning_days.sh
View File

@ -26,7 +26,7 @@ audit () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -49,12 +49,12 @@ apply () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

12
bin/hardening/10.2_disable_system_accounts.sh
View File

@ -17,7 +17,7 @@ RESULT=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if admin accounts have login different from $SHELL" info "Checking if admin accounts have a login shell different than $SHELL"
RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}') RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
for LINE in $RESULT; do for LINE in $RESULT; do
debug "line : $LINE" debug "line : $LINE"
@ -29,11 +29,11 @@ audit () {
debug "$ACCOUNT is confirmed as an exception" debug "$ACCOUNT is confirmed as an exception"
RESULT=$(sed "s!$LINE!!" <<< "$RESULT") RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
else else
debug "$ACCOUNT not found in exceptions" debug "$ACCOUNT not found in exceptions"
fi fi
done done
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
crit "Some admin accounts don't have $SHELL as shell" crit "Some admin accounts don't have $SHELL as their login shell"
crit "$RESULT" crit "$RESULT"
else else
ok "All admin accounts deactivated" ok "All admin accounts deactivated"
@ -57,11 +57,11 @@ apply () {
fi fi
done done
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
warn "Some admin accounts don't have $SHELL as shell" warn "Some admin accounts don't have $SHELL as their login shell -- Fixing"
warn "$RESULT" warn "$RESULT"
for USER in $( echo "$RESULT" | cut -d: -f 1 ); do for USER in $( echo "$RESULT" | cut -d: -f 1 ); do
info "Setting $SHELL to $USER" info "Setting $SHELL as $USER login shell"
usermod -s $SHELL $USER usermod -s $SHELL $USER
done done
else else
ok "All admin accounts deactivated, nothing to apply" ok "All admin accounts deactivated, nothing to apply"

2
bin/hardening/10.3_default_root_group.sh
View File

@ -28,7 +28,7 @@ apply () {
if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then
ok "Root group GID is $EXPECTED_GID" ok "Root group GID is $EXPECTED_GID"
else else
warn "Root group GID is not $EXPECTED_GID" warn "Root group GID is not $EXPECTED_GID -- Fixing"
usermod -g $EXPECTED_GID $USER usermod -g $EXPECTED_GID $USER
fi fi
} }

12
bin/hardening/10.4_default_umask.sh
View File

@ -18,24 +18,24 @@ FILE='/etc/profile.d/CIS_10.4_umask.sh'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILES_TO_SEARCH" crit "$PATTERN is not present in $FILES_TO_SEARCH"
else else
ok "$PATTERN present in $FILES_TO_SEARCH" ok "$PATTERN is present in $FILES_TO_SEARCH"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$PATTERN not present in $FILES_TO_SEARCH" warn "$PATTERN is not present in $FILES_TO_SEARCH"
touch $FILE touch $FILE
chmod 644 $FILE chmod 644 $FILE
add_end_of_file $FILE "$PATTERN" add_end_of_file $FILE "$PATTERN"
else else
ok "$PATTERN present in $FILES_TO_SEARCH" ok "$PATTERN is present in $FILES_TO_SEARCH"
fi fi
} }

4
bin/hardening/11.1_warning_banners.sh
View File

@ -23,7 +23,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE is not $USER:$GROUP ownership set" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -46,7 +46,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "$FILE is not $USER:$GROUP ownership set" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown $USER:$GROUP $FILE
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS

4
bin/hardening/11.2_remove_os_info_warning_banners.sh
View File

@ -17,7 +17,7 @@ PATTERN='(\\v|\\r|\\m|\\s)'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
for FILE in $FILES; do for FILE in $FILES; do
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PATTERN is present in $FILE" crit "$PATTERN is present in $FILE"
else else
@ -29,7 +29,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for FILE in $FILES; do for FILE in $FILES; do
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PATTERN is present in $FILE" warn "$PATTERN is present in $FILE"
delete_line_in_file $FILE $PATTERN delete_line_in_file $FILE $PATTERN

2
bin/hardening/12.10_find_suid_files.sh
View File

@ -13,7 +13,7 @@ set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if there is suid files" info "Checking if there are suid files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 -print) RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 -print)
for BINARY in $RESULT; do for BINARY in $RESULT; do
if grep -q $BINARY <<< "$EXCEPTIONS"; then if grep -q $BINARY <<< "$EXCEPTIONS"; then

2
bin/hardening/12.11_find_sgid_files.sh
View File

@ -13,7 +13,7 @@ set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if there is sgid files" info "Checking if there are sgid files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 -print) RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 -print)
for BINARY in $RESULT; do for BINARY in $RESULT; do
if grep -q $BINARY <<< "$EXCEPTIONS"; then if grep -q $BINARY <<< "$EXCEPTIONS"; then

2
bin/hardening/12.4_etc_passwd_ownership.sh
View File

@ -21,7 +21,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE is not $USER:$GROUP ownership set" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
} }

2
bin/hardening/12.5_etc_shadow_ownership.sh
View File

@ -21,7 +21,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE is not $USER:$GROUP ownership set" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
} }

2
bin/hardening/12.6_etc_group_ownership.sh
View File

@ -21,7 +21,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE is not $USER:$GROUP ownership set" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
} }

4
bin/hardening/12.7_find_world_writable_file.sh
View File

@ -13,10 +13,10 @@ set -u # One variable unset, it's over
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if there is world writable files" info "Checking if there are world writable files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
crit "Some world writable file are present" crit "Some world writable files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT" crit "$FORMATTED_RESULT"
else else

8
bin/hardening/12.8_find_unowned_files.sh
View File

@ -15,10 +15,10 @@ USER='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if there is unowned files" info "Checking if there are unowned files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null) RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
crit "Some world writable file are present" crit "Some unowned files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT" crit "$FORMATTED_RESULT"
else else
@ -30,8 +30,8 @@ audit () {
apply () { apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null) RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
warn "chmowing all unowned files in the system" warn "Applying chown on all unowned files in the system"
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
else else
ok "No unowned files found, nothing to apply" ok "No unowned files found, nothing to apply"
fi fi

10
bin/hardening/12.9_find_ungrouped_files.sh
View File

@ -15,14 +15,14 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if there is unowned files" info "Checking if there are ungrouped files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null) RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
crit "Some world writable file are present" crit "Some ungrouped files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT" crit "$FORMATTED_RESULT"
else else
ok "No world writable files found" ok "No ungrouped files found"
fi fi
} }
@ -30,10 +30,10 @@ audit () {
apply () { apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null) RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
warn "chmowing all ungrouped files in the system" warn "Applying chgrp on all ungrouped files in the system"
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
else else
ok "No world writable files found, nothing to apply" ok "No ungrouped files found, nothing to apply"
fi fi
} }

2
bin/hardening/13.10_find_user_rhosts_files.sh
View File

@ -27,7 +27,7 @@ audit () {
done done
if [ $ERRORS = 0 ]; then if [ $ERRORS = 0 ]; then
ok "No $FILENAME present in users files" ok "No $FILENAME present in users home directory"
fi fi
} }

2
bin/hardening/13.18_find_user_netrc_files.sh
View File

@ -27,7 +27,7 @@ audit () {
done done
if [ $ERRORS = 0 ]; then if [ $ERRORS = 0 ]; then
ok "No $FILENAME present in users files" ok "No $FILENAME present in users home directory"
fi fi
} }

2
bin/hardening/13.19_find_user_forward_files.sh
View File

@ -27,7 +27,7 @@ audit () {
done done
if [ $ERRORS = 0 ]; then if [ $ERRORS = 0 ]; then
ok "No $FILENAME present in users files" ok "No $FILENAME present in users home directory"
fi fi
} }

8
bin/hardening/13.1_remove_empty_password_field.sh
View File

@ -15,10 +15,10 @@ FILE='/etc/shadow'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if accounts have empty passwords" info "Checking if accounts have an empty password"
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }') RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
crit "Some accounts have empty passwords" crit "Some accounts have an empty password"
crit $RESULT crit $RESULT
else else
ok "All accounts have a password" ok "All accounts have a password"
@ -29,8 +29,8 @@ audit () {
apply () { apply () {
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }') RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
warn "Some accounts have empty passwords" warn "Some accounts have an empty password"
for ACCOUNT in $RESULT; do for ACCOUNT in $RESULT; do
info "Locking $ACCOUNT" info "Locking $ACCOUNT"
passwd -l $ACCOUNT >/dev/null 2>&1 passwd -l $ACCOUNT >/dev/null 2>&1
done done

12
bin/hardening/13.20_shadow_group_empty.sh
View File

@ -17,24 +17,24 @@ PATTERN='^shadow:x:[[:digit:]]+:'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
does_pattern_exists_in_file $FILEGROUP $PATTERN does_pattern_exist_in_file $FILEGROUP $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
info "shadow group exists" info "shadow group exists"
RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4) RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4)
GROUPID=$(getent group shadow | cut -d: -f3) GROUPID=$(getent group shadow | cut -d: -f3)
debug "$RESULT $GROUPID" debug "$RESULT $GROUPID"
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
crit "Some user belong to shadow group : $RESULT" crit "Some users belong to shadow group: $RESULT"
else else
ok "No one belongs to shadow group" ok "No user belongs to shadow group"
fi fi
info "Checking if a user has $GROUPID as primary group" info "Checking if a user has $GROUPID as primary group"
RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd) RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd)
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
crit "Some user have shadow id to their primary group : $RESULT" crit "Some users have shadow id as their primary group: $RESULT"
else else
ok "No one have shadow id to their primary group" ok "No user has shadow id as their primary group"
fi fi
else else
crit "shadow group doesn't exist" crit "shadow group doesn't exist"
@ -43,7 +43,7 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
info "If the audit returns something, please check with the user why he has this file" info "Editing automatically users/groups may seriously harm your system, report only here"
} }
# This function will check config parameters required # This function will check config parameters required

6
bin/hardening/13.2_remove_legacy_passwd_entries.sh
View File

@ -16,10 +16,10 @@ RESULT=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if accounts have empty passwords" info "Checking if accounts have a legacy password entry"
if grep '^+:' $FILE -q; then if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE) RESULT=$(grep '^+:' $FILE)
crit "Some accounts have legacy password entry" crit "Some accounts have a legacy password entry"
crit $RESULT crit $RESULT
else else
ok "All accounts have a valid password entry format" ok "All accounts have a valid password entry format"
@ -30,7 +30,7 @@ audit () {
apply () { apply () {
if grep '^+:' $FILE -q; then if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE) RESULT=$(grep '^+:' $FILE)
warn "Some accounts have legacy password entry" warn "Some accounts have a legacy password entry"
for LINE in $RESULT; do for LINE in $RESULT; do
info "Removing $LINE from $FILE" info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE delete_line_in_file $FILE $LINE

6
bin/hardening/13.3_remove_legacy_shadow_entries.sh
View File

@ -16,10 +16,10 @@ RESULT=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if accounts have empty passwords" info "Checking if accounts have a legacy password entry"
if grep '^+:' $FILE -q; then if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE) RESULT=$(grep '^+:' $FILE)
crit "Some accounts have legacy password entry" crit "Some accounts have a legacy password entry"
crit $RESULT crit $RESULT
else else
ok "All accounts have a valid password entry format" ok "All accounts have a valid password entry format"
@ -30,7 +30,7 @@ audit () {
apply () { apply () {
if grep '^+:' $FILE -q; then if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE) RESULT=$(grep '^+:' $FILE)
warn "Some accounts have legacy password entry" warn "Some accounts have a legacy password entry"
for LINE in $RESULT; do for LINE in $RESULT; do
info "Removing $LINE from $FILE" info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE delete_line_in_file $FILE $LINE

10
bin/hardening/13.4_remove_legacy_group_entries.sh
View File

@ -16,13 +16,13 @@ RESULT=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if accounts have empty passwords" info "Checking if accounts have a legacy group entry"
if grep '^+:' $FILE -q; then if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE) RESULT=$(grep '^+:' $FILE)
crit "Some accounts have legacy password entry" crit "Some accounts have a legacy group entry"
crit $RESULT crit $RESULT
else else
ok "All accounts have a valid password entry format" ok "All accounts have a valid group entry format"
fi fi
} }
@ -30,13 +30,13 @@ audit () {
apply () { apply () {
if grep '^+:' $FILE -q; then if grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE) RESULT=$(grep '^+:' $FILE)
warn "Some accounts have legacy password entry" warn "Some accounts have a legacy group entry"
for LINE in $RESULT; do for LINE in $RESULT; do
info "Removing $LINE from $FILE" info "Removing $LINE from $FILE"
delete_line_in_file $FILE $LINE delete_line_in_file $FILE $LINE
done done
else else
ok "All accounts have a valid password entry format" ok "All accounts have a valid group entry format"
fi fi
} }

2
bin/hardening/13.5_find_0_uid_non_root_account.sh
View File

@ -33,7 +33,7 @@ audit () {
crit "Some accounts have uid 0" crit "Some accounts have uid 0"
crit $RESULT crit $RESULT
else else
ok "No account with suid 0 apart root" ok "No account with uid 0 apart root"
fi fi
} }

2
bin/hardening/3.1_bootloader_ownership.sh
View File

@ -23,7 +23,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE is not $USER:$GROUP ownership set" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
} }

8
bin/hardening/3.3_bootloader_password.sh
View File

@ -17,13 +17,13 @@ PWD_PATTERN="^password_pbkdf2"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
does_pattern_exists_in_file $FILE "$USER_PATTERN" does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$USER_PATTERN not present in $FILE" crit "$USER_PATTERN not present in $FILE"
else else
ok "$USER_PATTERN is present in $FILE" ok "$USER_PATTERN is present in $FILE"
fi fi
does_pattern_exists_in_file $FILE "$PWD_PATTERN" does_pattern_exist_in_file $FILE "$PWD_PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PWD_PATTERN not present in $FILE" crit "$PWD_PATTERN not present in $FILE"
else else
@ -33,13 +33,13 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
does_pattern_exists_in_file $FILE "$USER_PATTERN" does_pattern_exist_in_file $FILE "$USER_PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$USER_PATTERN not present in $FILE, please configure password for grub" warn "$USER_PATTERN not present in $FILE, please configure password for grub"
else else
ok "$USER_PATTERN is present in $FILE" ok "$USER_PATTERN is present in $FILE"
fi fi
does_pattern_exists_in_file $FILE "$PWD_PATTERN" does_pattern_exist_in_file $FILE "$PWD_PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$PWD_PATTERN not present in $FILE, please configure password for grub" warn "$PWD_PATTERN not present in $FILE, please configure password for grub"
else else

12
bin/hardening/3.4_root_password.sh
View File

@ -16,21 +16,21 @@ PATTERN="^root:[*\!]:"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET != 1 ]; then if [ $FNRET != 1 ]; then
crit "$PATTERN present in $FILE" crit "$PATTERN is present in $FILE"
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET != 1 ]; then if [ $FNRET != 1 ]; then
warn "$PATTERN present in $FILE, please put a root password" warn "$PATTERN is present in $FILE, please put a root password"
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
: :
} }

6
bin/hardening/4.1_restrict_core_dumps.sh
View File

@ -18,7 +18,7 @@ SYSCTL_EXP_RESULT=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
does_pattern_exists_in_file $LIMIT_FILE $LIMIT_PATTERN does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$LIMIT_PATTERN not present in $LIMIT_FILE" crit "$LIMIT_PATTERN not present in $LIMIT_FILE"
else else
@ -36,9 +36,9 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
does_pattern_exists_in_file $LIMIT_FILE $LIMIT_PATTERN does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$LIMIT_PATTERN not present in $LIMIT_FILE, addning at the end of $LIMIT_FILE" warn "$LIMIT_PATTERN not present in $LIMIT_FILE, adding at the end of $LIMIT_FILE"
add_end_of_file $LIMIT_FILE "* hard core 0" add_end_of_file $LIMIT_FILE "* hard core 0"
else else
ok "$LIMIT_PATTERN present in $LIMIT_FILE" ok "$LIMIT_PATTERN present in $LIMIT_FILE"

12
bin/hardening/4.2_enable_nx_support.sh
View File

@ -15,21 +15,21 @@ PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:spac
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
does_pattern_exists_in_dmesg $PATTERN does_pattern_exist_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in dmesg" crit "$PATTERN is not present in dmesg"
else else
ok "$PATTERN present in dmesg" ok "$PATTERN is present in dmesg"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
does_pattern_exists_in_dmesg $PATTERN does_pattern_exist_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in dmesg, please go to the bios to activate this option or change for CPU compatible" crit "$PATTERN is not present in dmesg, please go to the bios to activate this option or change for CPU compatible"
else else
ok "$PATTERN present in dmesg" ok "$PATTERN is present in dmesg"
fi fi
} }

10
bin/hardening/5.1.2_disable_rsh.sh
View File

@ -26,11 +26,11 @@ audit () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
ok "$FILE does not exist" ok "$FILE does not exist"
else else
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!" crit "$PATTERN exists, $PACKAGE services are enabled!"
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
else else
@ -55,14 +55,14 @@ apply () {
ok "$FILE does not exist" ok "$FILE does not exist"
else else
info "$FILE exists, checking patterns" info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it" warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
done done

10
bin/hardening/5.1.4_disable_talk.sh
View File

@ -25,11 +25,11 @@ audit () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
ok "$FILE does not exist" ok "$FILE does not exist"
else else
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!" crit "$PATTERN exists, $PACKAGE services are enabled!"
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
else else
@ -54,14 +54,14 @@ apply () {
ok "$FILE does not exist" ok "$FILE does not exist"
else else
info "$FILE exists, checking patterns" info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it" warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
done done

10
bin/hardening/5.1.6_disable_telnet_server.sh
View File

@ -26,11 +26,11 @@ audit () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
ok "$FILE does not exist" ok "$FILE does not exist"
else else
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!" crit "$PATTERN exists, $PACKAGE services are enabled!"
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
else else
@ -55,14 +55,14 @@ apply () {
ok "$FILE does not exist" ok "$FILE does not exist"
else else
info "$FILE exists, checking patterns" info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it" warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
done done

11
bin/hardening/5.1.7_disable_tftp_server.sh
View File

@ -25,11 +25,11 @@ audit () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
ok "$FILE does not exist" ok "$FILE does not exist"
else else
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PATTERN exists, $PACKAGE services are enabled!" crit "$PATTERN exists, $PACKAGE services are enabled!"
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
else else
@ -54,15 +54,14 @@ apply () {
ok "$FILE does not exist" ok "$FILE does not exist"
else else
info "$FILE exists, checking patterns" info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it" warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
echo "coucou"
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
done done

12
bin/hardening/5.2_disable_chargen.sh
View File

@ -20,11 +20,11 @@ audit () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
ok "$FILE does not exist" ok "$FILE does not exist"
else else
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen services are enabled!" crit "$PATTERN exists, chargen service is enabled!"
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
} }
@ -36,14 +36,14 @@ apply () {
ok "$FILE does not exist" ok "$FILE does not exist"
else else
info "$FILE exists, checking patterns" info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it" warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
} }

12
bin/hardening/5.3_disable_daytime.sh
View File

@ -20,11 +20,11 @@ audit () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
ok "$FILE does not exist" ok "$FILE does not exist"
else else
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen services are enabled!" crit "$PATTERN exists, daytime service is enabled!"
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
} }
@ -36,14 +36,14 @@ apply () {
ok "$FILE does not exist" ok "$FILE does not exist"
else else
info "$FILE exists, checking patterns" info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it" warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
} }

12
bin/hardening/5.4_disable_echo.sh
View File

@ -20,11 +20,11 @@ audit () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
ok "$FILE does not exist" ok "$FILE does not exist"
else else
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen services are enabled!" crit "$PATTERN exists, echo service is enabled!"
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
} }
@ -36,14 +36,14 @@ apply () {
ok "$FILE does not exist" ok "$FILE does not exist"
else else
info "$FILE exists, checking patterns" info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it" warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
} }

12
bin/hardening/5.5_disable_discard.sh
View File

@ -20,11 +20,11 @@ audit () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
ok "$FILE does not exist" ok "$FILE does not exist"
else else
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen services are enabled!" crit "$PATTERN exists, discard service is enabled!"
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
} }
@ -36,14 +36,14 @@ apply () {
ok "$FILE does not exist" ok "$FILE does not exist"
else else
info "$FILE exists, checking patterns" info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it" warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
} }

12
bin/hardening/5.6_disable_time.sh
View File

@ -20,11 +20,11 @@ audit () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
ok "$FILE does not exist" ok "$FILE does not exist"
else else
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
crit "$PATTERN exists, chargen services are enabled!" crit "$PATTERN exists, time service is enabled!"
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
} }
@ -36,14 +36,14 @@ apply () {
ok "$FILE does not exist" ok "$FILE does not exist"
else else
info "$FILE exists, checking patterns" info "$FILE exists, checking patterns"
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
warn "$PATTERN present in $FILE, purging it" warn "$PATTERN is present in $FILE, purging it"
backup_file $FILE backup_file $FILE
ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN)
sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE
else else
ok "$PATTERN not present in $FILE" ok "$PATTERN is not present in $FILE"
fi fi
fi fi
} }

4
bin/hardening/6.16_disable_rsync.sh
View File

@ -23,7 +23,7 @@ audit () {
ok "$PACKAGE is not installed" ok "$PACKAGE is not installed"
else else
ok "$PACKAGE is installed, checking configuration" ok "$PACKAGE is installed, checking configuration"
does_pattern_exists_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE" crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE"
else else
@ -39,7 +39,7 @@ apply () {
ok "$PACKAGE is not installed" ok "$PACKAGE is not installed"
else else
ok "$PACKAGE is installed, checking configuration" ok "$PACKAGE is installed, checking configuration"
does_pattern_exists_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" does_pattern_exist_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it" warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it"
backup_file $RSYNC_DEFAULT_FILE backup_file $RSYNC_DEFAULT_FILE

8
bin/hardening/6.5_configure_ntp.sh
View File

@ -24,13 +24,13 @@ audit () {
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed, checking configuration" ok "$PACKAGE is installed, checking configuration"
does_pattern_exists_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE" crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE"
else else
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi fi
does_pattern_exists_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE" crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE"
else else
@ -49,7 +49,7 @@ apply () {
apt_install $PACKAGE apt_install $PACKAGE
info "Checking $PACKAGE configuration" info "Checking $PACKAGE configuration"
fi fi
does_pattern_exists_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN does_pattern_exist_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it" warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it"
backup_file $NTP_CONF_FILE backup_file $NTP_CONF_FILE
@ -57,7 +57,7 @@ apply () {
else else
ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE"
fi fi
does_pattern_exists_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" does_pattern_exist_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it" warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it"
backup_file $NTP_INIT_FILE backup_file $NTP_INIT_FILE

16
bin/hardening/7.4.4_hosts_deny.sh
View File

@ -20,12 +20,12 @@ audit () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exist, checking configuration" ok "$FILE exists, checking configuration"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILE, we have to deny everything" crit "$PATTERN is not present in $FILE, we have to deny everything"
else else
ok "$PATTERN present in $FILE" ok "$PATTERN is present in $FILE"
fi fi
fi fi
} }
@ -37,15 +37,15 @@ apply () {
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
touch $FILE touch $FILE
else else
ok "$FILE exist" ok "$FILE exists"
fi fi
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILE, we have to deny everything" crit "$PATTERN is not present in $FILE, we have to deny everything"
add_end_of_file $FILE "$PATTERN" add_end_of_file $FILE "$PATTERN"
warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING" warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING"
else else
ok "$PATTERN present in $FILE" ok "$PATTERN is present in $FILE"
fi fi
} }

16
bin/hardening/8.1.1.1_audit_log_storage.sh
View File

@ -21,12 +21,12 @@ audit () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exist, checking configuration" ok "$FILE exists, checking configuration"
does_pattern_exists_in_file $FILE "^$PATTERN[[:space:]]" does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILE" crit "$PATTERN is not present in $FILE"
else else
ok "$PATTERN present in $FILE" ok "$PATTERN is present in $FILE"
fi fi
fi fi
} }
@ -38,14 +38,14 @@ apply () {
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
touch $FILE touch $FILE
else else
ok "$FILE exist" ok "$FILE exists"
fi fi
does_pattern_exists_in_file $FILE "^$PATTERN[[:space:]]" does_pattern_exist_in_file $FILE "^$PATTERN[[:space:]]"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
add_end_of_file $FILE "$PATTERN = $VALUE" add_end_of_file $FILE "$PATTERN = $VALUE"
else else
ok "$PATTERN present in $FILE" ok "$PATTERN is present in $FILE"
fi fi
} }

18
bin/hardening/8.1.1.2_halt_when_audit_log_full.sh
View File

@ -20,17 +20,17 @@ audit () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exist, checking configuration" ok "$FILE exists, checking configuration"
for AUDIT_OPTION in $OPTIONS; do for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILE" crit "$PATTERN is not present in $FILE"
else else
ok "$PATTERN present in $FILE" ok "$PATTERN is present in $FILE"
fi fi
done done
fi fi
@ -43,17 +43,17 @@ apply () {
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
touch $FILE touch $FILE
else else
ok "$FILE exist" ok "$FILE exists"
fi fi
for AUDIT_OPTION in $OPTIONS; do for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$AUDIT_PARAM" does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
@ -62,7 +62,7 @@ apply () {
replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
fi fi
else else
ok "$PATTERN present in $FILE" ok "$PATTERN is present in $FILE"
fi fi
done done
} }

18
bin/hardening/8.1.1.3_keep_all_audit_logs.sh
View File

@ -20,17 +20,17 @@ audit () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exist, checking configuration" ok "$FILE exists, checking configuration"
for AUDIT_OPTION in $OPTIONS; do for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILE" crit "$PATTERN is not present in $FILE"
else else
ok "$PATTERN present in $FILE" ok "$PATTERN is present in $FILE"
fi fi
done done
fi fi
@ -43,17 +43,17 @@ apply () {
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
touch $FILE touch $FILE
else else
ok "$FILE exist" ok "$FILE exists"
fi fi
for AUDIT_OPTION in $OPTIONS; do for AUDIT_OPTION in $OPTIONS; do
AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1)
AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2)
debug "$AUDIT_PARAM should be set to $AUDIT_VALUE" debug "$AUDIT_PARAM should be set to $AUDIT_VALUE"
PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$AUDIT_PARAM" does_pattern_exist_in_file $FILE "^$AUDIT_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE"
@ -62,7 +62,7 @@ apply () {
replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE"
fi fi
else else
ok "$PATTERN present in $FILE" ok "$PATTERN is present in $FILE"
fi fi
done done
} }

12
bin/hardening/8.1.10_record_dac_edit.sh
View File

@ -23,12 +23,12 @@ FILE='/etc/audit/audit.rules'
audit () { audit () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }
@ -37,14 +37,14 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd) eval $(pkill -HUP -P 1 auditd)
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }

12
bin/hardening/8.1.11_record_failed_access_file.sh
View File

@ -21,12 +21,12 @@ FILE='/etc/audit/audit.rules'
audit () { audit () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }
@ -35,14 +35,14 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd) eval $(pkill -HUP -P 1 auditd)
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }

12
bin/hardening/8.1.12_record_privileged_commands.sh
View File

@ -21,12 +21,12 @@ FILE='/etc/audit/audit.rules'
audit () { audit () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }
@ -35,14 +35,14 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd) eval $(pkill -HUP -P 1 auditd)
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }

12
bin/hardening/8.1.13_record_successful_mount.sh
View File

@ -19,12 +19,12 @@ FILE='/etc/audit/audit.rules'
audit () { audit () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }
@ -33,14 +33,14 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd) eval $(pkill -HUP -P 1 auditd)
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }

12
bin/hardening/8.1.14_record_file_deletions.sh
View File

@ -19,12 +19,12 @@ FILE='/etc/audit/audit.rules'
audit () { audit () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }
@ -33,14 +33,14 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd) eval $(pkill -HUP -P 1 auditd)
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }

12
bin/hardening/8.1.15_record_sudoers_edit.sh
View File

@ -19,12 +19,12 @@ FILE='/etc/audit/audit.rules'
audit () { audit () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }
@ -33,14 +33,14 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd) eval $(pkill -HUP -P 1 auditd)
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }

12
bin/hardening/8.1.16_record_sudo_usage.sh
View File

@ -18,12 +18,12 @@ FILE='/etc/audit/audit.rules'
audit () { audit () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }
@ -32,14 +32,14 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd) eval $(pkill -HUP -P 1 auditd)
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }

12
bin/hardening/8.1.17_record_kernel_modules.sh
View File

@ -21,12 +21,12 @@ FILE='/etc/audit/audit.rules'
audit () { audit () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }
@ -35,14 +35,14 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd) eval $(pkill -HUP -P 1 auditd)
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }

12
bin/hardening/8.1.18_freeze_auditd_conf.sh
View File

@ -18,12 +18,12 @@ FILE='/etc/audit/audit.rules'
audit () { audit () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }
@ -32,14 +32,14 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd) eval $(pkill -HUP -P 1 auditd)
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }

18
bin/hardening/8.1.3_audit_bootloader.sh
View File

@ -20,17 +20,17 @@ audit () {
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$FILE does not exist" crit "$FILE does not exist"
else else
ok "$FILE exist, checking configuration" ok "$FILE exists, checking configuration"
for GRUB_OPTION in $OPTIONS; do for GRUB_OPTION in $OPTIONS; do
GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1)
GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3)
PATTERN="^$GRUB_PARAM=$GRUB_VALUE" PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
debug "$GRUB_PARAM should be set to $GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILE" crit "$PATTERN is not present in $FILE"
else else
ok "$PATTERN present in $FILE" ok "$PATTERN is present in $FILE"
fi fi
done done
fi fi
@ -43,17 +43,17 @@ apply () {
warn "$FILE does not exist, creating it" warn "$FILE does not exist, creating it"
touch $FILE touch $FILE
else else
ok "$FILE exist" ok "$FILE exists"
fi fi
for GRUB_OPTION in $OPTIONS; do for GRUB_OPTION in $OPTIONS; do
GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1)
GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3)
debug "$GRUB_PARAM should be set to $GRUB_VALUE" debug "$GRUB_PARAM should be set to $GRUB_VALUE"
PATTERN="^$GRUB_PARAM=$GRUB_VALUE" PATTERN="^$GRUB_PARAM=$GRUB_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$GRUB_PARAM" does_pattern_exist_in_file $FILE "^$GRUB_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end" info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end"
add_end_of_file $FILE "$GRUB_PARAM = $GRUB_VALUE" add_end_of_file $FILE "$GRUB_PARAM = $GRUB_VALUE"
@ -62,7 +62,7 @@ apply () {
replace_in_file $FILE "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE" replace_in_file $FILE "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE"
fi fi
else else
ok "$PATTERN present in $FILE" ok "$PATTERN is present in $FILE"
fi fi
done done
} }

12
bin/hardening/8.1.4_record_date_time_edit.sh
View File

@ -22,12 +22,12 @@ FILE='/etc/audit/audit.rules'
audit () { audit () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }
@ -36,14 +36,14 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd) eval $(pkill -HUP -P 1 auditd)
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }

12
bin/hardening/8.1.5_record_user_group_edit.sh
View File

@ -22,12 +22,12 @@ FILE='/etc/audit/audit.rules'
audit () { audit () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }
@ -36,14 +36,14 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd) eval $(pkill -HUP -P 1 auditd)
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }

12
bin/hardening/8.1.6_record_network_edit.sh
View File

@ -23,12 +23,12 @@ FILE='/etc/audit/audit.rules'
audit () { audit () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }
@ -37,14 +37,14 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd) eval $(pkill -HUP -P 1 auditd)
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }

12
bin/hardening/8.1.7_record_mac_edit.sh
View File

@ -18,12 +18,12 @@ FILE='/etc/audit/audit.rules'
audit () { audit () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }
@ -32,14 +32,14 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd) eval $(pkill -HUP -P 1 auditd)
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }

12
bin/hardening/8.1.8_record_login_logout.sh
View File

@ -20,12 +20,12 @@ FILE='/etc/audit/audit.rules'
audit () { audit () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }
@ -34,14 +34,14 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd) eval $(pkill -HUP -P 1 auditd)
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }

12
bin/hardening/8.1.9_record_session_init.sh
View File

@ -20,12 +20,12 @@ FILE='/etc/audit/audit.rules'
audit () { audit () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE" crit "$AUDIT_VALUE is not in file $FILE"
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }
@ -34,14 +34,14 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE must be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exists_in_file $FILE $AUDIT_VALUE does_pattern_exist_in_file $FILE $AUDIT_VALUE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it" warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE add_end_of_file $FILE $AUDIT_VALUE
eval $(pkill -HUP -P 1 auditd) eval $(pkill -HUP -P 1 auditd)
else else
ok "$AUDIT_VALUE present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
done done
} }

4
bin/hardening/8.2.4_set_logfile_perm.sh
View File

@ -27,7 +27,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE is not $USER:$GROUP ownership set" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -51,7 +51,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "$FILE is not $USER:$GROUP ownership set" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown $USER:$GROUP $FILE
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS

12
bin/hardening/8.2.5_syslog-ng_remote_host.sh
View File

@ -16,22 +16,22 @@ PATTERN='^destination.*(tcp|udp)[[:space:]]*\([[:space:]]*\".*\"[[:space:]]*\)'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $SYSLOG_BASEDIR/conf.d/*" FILES="$SYSLOG_BASEDIR/syslog-ng.conf $SYSLOG_BASEDIR/conf.d/*"
does_pattern_exists_in_file "$FILES" "$PATTERN" does_pattern_exist_in_file "$FILES" "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILES" crit "$PATTERN is not present in $FILES"
else else
ok "$PATTERN present in $FILES" ok "$PATTERN is present in $FILES"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
FILES="$SYSLOG_BASEDIR/syslog-ng.conf $SYSLOG_BASEDIR/conf.d/*" FILES="$SYSLOG_BASEDIR/syslog-ng.conf $SYSLOG_BASEDIR/conf.d/*"
does_pattern_exists_in_file "$FILES" "$PATTERN" does_pattern_exist_in_file "$FILES" "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILES, please set a remote host to send your logs" crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
else else
ok "$PATTERN present in $FILES" ok "$PATTERN is present in $FILES"
fi fi
} }

20
bin/hardening/8.3.2_tripwire_cron.sh
View File

@ -16,28 +16,28 @@ PATTERN='tripwire --check'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
does_pattern_exists_in_file "$FILES" "$PATTERN" does_pattern_exist_in_file "$FILES" "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILES" crit "$PATTERN is not present in $FILES"
else else
ok "$PATTERN present in $FILES" ok "$PATTERN is present in $FILES"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
does_pattern_exists_in_file "$FILES" "$PATTERN" does_pattern_exist_in_file "$FILES" "$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$PATTERN not present in $FILES, setting tripwire cron" warn "$PATTERN is not present in $FILES, setting tripwire cron"
echo "0 10 * * * root /usr/sbin/tripwire --check > /dev/shm/tripwire_check 2>&1 " > /etc/cron.d/CIS_8.3.2_tripwire echo "0 10 * * * root /usr/sbin/tripwire --check > /dev/shm/tripwire_check 2>&1 " > /etc/cron.d/CIS_8.3.2_tripwire
else else
ok "$PATTERN present in $FILES" ok "$PATTERN is present in $FILES"
fi fi
} }
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :
} }
# Source Root Dir Parameter # Source Root Dir Parameter
@ -50,7 +50,7 @@ else
echo "No CIS_ROOT_DIR variable, aborting" echo "No CIS_ROOT_DIR variable, aborting"
exit 128 exit 128
fi fi
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then

4
bin/hardening/9.1.2_crontab_perm_ownership.sh
View File

@ -22,7 +22,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE is not $USER:$GROUP ownership set" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -43,7 +43,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "$FILE is not $USER:$GROUP ownership set" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown $USER:$GROUP $FILE
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS

4
bin/hardening/9.1.3_cron_hourly_perm_ownership.sh
View File

@ -22,7 +22,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE is not $USER:$GROUP ownership set" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -43,7 +43,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "$FILE is not $USER:$GROUP ownership set" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown $USER:$GROUP $FILE
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS

4
bin/hardening/9.1.4_cron_daily_perm_ownership.sh
View File

@ -22,7 +22,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE is not $USER:$GROUP ownership set" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -43,7 +43,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "$FILE is not $USER:$GROUP ownership set" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown $USER:$GROUP $FILE
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS

4
bin/hardening/9.1.5_cron_weekly_perm_ownership.sh
View File

@ -22,7 +22,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE is not $USER:$GROUP ownership set" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -43,7 +43,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "$FILE is not $USER:$GROUP ownership set" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown $USER:$GROUP $FILE
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS

4
bin/hardening/9.1.6_cron_monthly_perm_ownership.sh
View File

@ -22,7 +22,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE is not $USER:$GROUP ownership set" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -43,7 +43,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "$FILE is not $USER:$GROUP ownership set" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown $USER:$GROUP $FILE
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS

4
bin/hardening/9.1.7_cron_d_perm_ownership.sh
View File

@ -22,7 +22,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE is not $USER:$GROUP ownership set" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -43,7 +43,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "$FILE is not $USER:$GROUP ownership set" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown $USER:$GROUP $FILE
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS

4
bin/hardening/9.1.8_cron_users.sh
View File

@ -36,7 +36,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE is not $USER:$GROUP ownership set" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -69,7 +69,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "$FILE is not $USER:$GROUP ownership set" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown $USER:$GROUP $FILE
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS

4
bin/hardening/9.2.1_enable_cracklib.sh
View File

@ -22,7 +22,7 @@ audit () {
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -40,7 +40,7 @@ apply () {
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else

4
bin/hardening/9.2.2_enable_lockout_failed_password.sh
View File

@ -22,7 +22,7 @@ audit () {
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -40,7 +40,7 @@ apply () {
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else

4
bin/hardening/9.2.3_limit_password_reuse.sh
View File

@ -22,7 +22,7 @@ audit () {
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -40,7 +40,7 @@ apply () {
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else

8
bin/hardening/9.3.10_disable_sshd_setenv.sh
View File

@ -26,7 +26,7 @@ audit () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -49,12 +49,12 @@ apply () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

8
bin/hardening/9.3.11_sshd_ciphers.sh
View File

@ -26,7 +26,7 @@ audit () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -49,12 +49,12 @@ apply () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

8
bin/hardening/9.3.12_sshd_idle_timeout.sh
View File

@ -26,7 +26,7 @@ audit () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -49,12 +49,12 @@ apply () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

8
bin/hardening/9.3.13_sshd_limit_access.sh
View File

@ -27,7 +27,7 @@ audit () {
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE) SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -51,12 +51,12 @@ apply () {
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE) SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

8
bin/hardening/9.3.14_ssh_banner.sh
View File

@ -25,7 +25,7 @@ audit () {
for SSH_OPTION in $OPTIONS; do for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
PATTERN="^$SSH_PARAM[[:space:]]*" PATTERN="^$SSH_PARAM[[:space:]]*"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -48,12 +48,12 @@ apply () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

8
bin/hardening/9.3.1_sshd_protocol.sh
View File

@ -26,7 +26,7 @@ audit () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -49,12 +49,12 @@ apply () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

8
bin/hardening/9.3.2_sshd_loglevel.sh
View File

@ -26,7 +26,7 @@ audit () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -49,12 +49,12 @@ apply () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

4
bin/hardening/9.3.3_sshd_conf_perm_ownership.sh
View File

@ -22,7 +22,7 @@ audit () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
crit "$FILE is not $USER:$GROUP ownership set" crit "$FILE ownership was not set to $USER:$GROUP"
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
@ -43,7 +43,7 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership" ok "$FILE has correct ownership"
else else
warn "$FILE is not $USER:$GROUP ownership set" warn "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE chown $USER:$GROUP $FILE
fi fi
has_file_correct_permissions $FILE $PERMISSIONS has_file_correct_permissions $FILE $PERMISSIONS

8
bin/hardening/9.3.4_disable_x11_forwarding.sh
View File

@ -26,7 +26,7 @@ audit () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -49,12 +49,12 @@ apply () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

8
bin/hardening/9.3.5_sshd_maxauthtries.sh
View File

@ -26,7 +26,7 @@ audit () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -49,12 +49,12 @@ apply () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

8
bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh
View File

@ -26,7 +26,7 @@ audit () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -49,12 +49,12 @@ apply () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

8
bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh
View File

@ -26,7 +26,7 @@ audit () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -49,12 +49,12 @@ apply () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

8
bin/hardening/9.3.8_disable_root_login.sh
View File

@ -26,7 +26,7 @@ audit () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -49,12 +49,12 @@ apply () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

8
bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh
View File

@ -26,7 +26,7 @@ audit () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -49,12 +49,12 @@ apply () {
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exists_in_file $FILE "$PATTERN" does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN not present in $FILE, adding it" warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exists_in_file $FILE "^$SSH_PARAM" does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else else

4
bin/hardening/9.5_restrict_su.sh
View File

@ -22,7 +22,7 @@ audit () {
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -40,7 +40,7 @@ apply () {
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
does_pattern_exists_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else

12
bin/hardening/99.1_timeout_tty.sh
View File

@ -19,26 +19,26 @@ FILE='/etc/profile.d/CIS_99.1_timeout.sh'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILES_TO_SEARCH" crit "$PATTERN is not present in $FILES_TO_SEARCH"
else else
ok "$PATTERN present in $FILES_TO_SEARCH" ok "$PATTERN is present in $FILES_TO_SEARCH"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$PATTERN not present in $FILES_TO_SEARCH" warn "$PATTERN is not present in $FILES_TO_SEARCH"
touch $FILE touch $FILE
chmod 644 $FILE chmod 644 $FILE
add_end_of_file $FILE "$PATTERN$VALUE" add_end_of_file $FILE "$PATTERN$VALUE"
add_end_of_file $FILE "readonly TMOUT" add_end_of_file $FILE "readonly TMOUT"
add_end_of_file $FILE "export TMOUT" add_end_of_file $FILE "export TMOUT"
else else
ok "$PATTERN present in $FILES_TO_SEARCH" ok "$PATTERN is present in $FILES_TO_SEARCH"
fi fi
} }

12
bin/hardening/99.2_disable_usb_devices.sh
View File

@ -18,19 +18,19 @@ FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PATTERN not present in $FILES_TO_SEARCH" crit "$PATTERN is not present in $FILES_TO_SEARCH"
else else
ok "$PATTERN present in $FILES_TO_SEARCH" ok "$PATTERN is present in $FILES_TO_SEARCH"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
warn "$PATTERN not present in $FILES_TO_SEARCH" warn "$PATTERN is not present in $FILES_TO_SEARCH"
touch $FILE touch $FILE
chmod 644 $FILE chmod 644 $FILE
add_end_of_file $FILE ' add_end_of_file $FILE '
@ -47,7 +47,7 @@ ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authoriz
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1" ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"
' '
else else
ok "$PATTERN present in $FILES_TO_SEARCH" ok "$PATTERN is present in $FILES_TO_SEARCH"
fi fi
} }

7
debian/changelog vendored
View File

@ -1,3 +1,10 @@
cis-hardening (1.0-8) wheezy; urgency=low
* phrasing reworked all over the place
* added debian dependencies bash and bc
-- Kevin Tanguy <kevin.tanguy@ovh.net> Tue, 26 Apr 2016 10:26:18 +0200
cis-hardening (1.0-7) wheezy; urgency=low cis-hardening (1.0-7) wheezy; urgency=low
* Fixed 6.15 netstat analysis * Fixed 6.15 netstat analysis

2
debian/control vendored
View File

@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/ovh/debian-cis/
Package: cis-hardening Package: cis-hardening
Architecture: all Architecture: all
Depends: ${shlibs:Depends}, ${misc:Depends} Depends: ${shlibs:Depends}, ${misc:Depends}, bash, bc
Description: Suite of configurable scripts to audit or harden a Debian Wheezy. Description: Suite of configurable scripts to audit or harden a Debian Wheezy.
Modular Debian 7 security hardening scripts based on cisecurity.org Modular Debian 7 security hardening scripts based on cisecurity.org
⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://ovh.com⟩ to ⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://ovh.com⟩ to

4
lib/utils.sh
View File

@ -48,7 +48,7 @@ set_sysctl_param() {
# Dmesg # Dmesg
# #
does_pattern_exists_in_dmesg() { does_pattern_exist_in_dmesg() {
local PATTERN=$1 local PATTERN=$1
if $(dmesg | grep -qE "$PATTERN"); then if $(dmesg | grep -qE "$PATTERN"); then
FNRET=0 FNRET=0
@ -95,7 +95,7 @@ has_file_correct_permissions() {
fi fi
} }
does_pattern_exists_in_file() { does_pattern_exist_in_file() {
local FILE=$1 local FILE=$1
local PATTERN=$2 local PATTERN=$2