elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-06-22 02:33:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add sudo management in main and utils

Browse Source 
* perform readonly checks as a regular user
    * sudo -n is used for checks requiring root privileges
    * increase accountability by providing log of individual access to sensitive files
This commit is contained in:
Charles Herlin
2017-11-09 15:45:42 +01:00
parent a3937b3183
commit b1f85d3f99
30 changed files with 187 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
bin/hardening.sh
View File

@ -22,6 +22,7 @@ AUDIT_ALL=0
AUDIT_ALL_ENABLE_PASSED=0
ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0
SUDO_MODE=''
usage() {
cat << EOF
@ -83,6 +84,13 @@ OPTIONS:
The test number is the numbered prefix of the script,
i.e. the test number of 1.2_script_name.sh is 1.2.
--sudo
This option lets you audit your system as a normal user, but allows sudo
escalation to gain read-only access to root files. Note that you need to
provide a sudoers file with NOPASSWD option in /etc/sudoers.d/ because
the '-n' option instructs sudo not to prompt for a password.
Finally note that '--sudo' mode only works for audit mode.
EOF
exit 0
}
@ -124,6 +132,9 @@ while [[ $# > 0 ]]; do
TEST_LIST[${#TEST_LIST[@]}]="$2"
shift
;;
--sudo)
SUDO_MODE='--sudo'
;;
-h|--help)
usage
;;
@ -197,14 +208,14 @@ for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
info "Treating $SCRIPT"
if [ $AUDIT = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit"
$SCRIPT --audit
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit $SUDO_MODE"
$SCRIPT --audit $SUDO_MODE
elif [ $AUDIT_ALL = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all"
$SCRIPT --audit-all
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE"
$SCRIPT --audit-all $SUDO_MODE
elif [ $AUDIT_ALL_ENABLE_PASSED = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all"
$SCRIPT --audit-all
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit-all $SUDO_MODE"
$SCRIPT --audit-all $SUDO_MODE
elif [ $APPLY = 1 ]; then
debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT"
$SCRIPT

2
bin/hardening/12.10_find_suid_files.sh
View File

@ -16,7 +16,7 @@ HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are suid files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 -print)
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -4000 -print)
for BINARY in $RESULT; do
if grep -q $BINARY <<< "$EXCEPTIONS"; then
debug "$BINARY is confirmed as an exception"

2
bin/hardening/12.11_find_sgid_files.sh
View File

@ -16,7 +16,7 @@ HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are sgid files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 -print)
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -2000 -print)
for BINARY in $RESULT; do
if grep -q $BINARY <<< "$EXCEPTIONS"; then
debug "$BINARY is confirmed as an exception"

2
bin/hardening/12.7_find_world_writable_file.sh
View File

@ -16,7 +16,7 @@ HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are world writable files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')

2
bin/hardening/12.8_find_unowned_files.sh
View File

@ -18,7 +18,7 @@ USER='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are unowned files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null)
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -nouser -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some unowned files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')

2
bin/hardening/12.9_find_ungrouped_files.sh
View File

@ -18,7 +18,7 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are ungrouped files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null)
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -nogroup -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some ungrouped files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')

2
bin/hardening/13.1_remove_empty_password_field.sh
View File

@ -18,7 +18,7 @@ FILE='/etc/shadow'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have an empty password"
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
RESULT=$($SUDO_CMD cat $FILE | awk -F: '($2 == "" ) { print $1 }')
if [ ! -z "$RESULT" ]; then
crit "Some accounts have an empty password"
crit $RESULT

2
bin/hardening/13.3_remove_legacy_shadow_entries.sh
View File

@ -19,7 +19,7 @@ RESULT=''
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if accounts have a legacy password entry"
if grep '^+:' $FILE -q; then
if $SUDO_CMD grep '^+:' $FILE -q; then
RESULT=$(grep '^+:' $FILE)
crit "Some accounts have a legacy password entry"
crit $RESULT

2
bin/hardening/2.17_sticky_bit_world_writable_folder.sh
View File

@ -16,7 +16,7 @@ HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if setuid is set on world writable Directories"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')

2
bin/hardening/4.2_enable_nx_support.sh
View File

@ -19,7 +19,7 @@ PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:spac
nx_supported_and_enabled() {
if grep -q ' nx ' /proc/cpuinfo; then
# NX supported, but if noexec=off specified, it's not enabled
if grep -qi 'noexec=off' /proc/cmdline; then
if $SUDO_CMD grep -qi 'noexec=off' /proc/cmdline; then
FNRET=1 # supported but disabled
else
FNRET=0 # supported and enabled

2
bin/hardening/6.15_mta_localhost.sh
View File

@ -17,7 +17,7 @@ HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking netport ports opened"
RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=$($SUDO_CMD netstat -an | grep LIST | grep ":25[[:space:]]") || :
RESULT=${RESULT:-}
debug "Result is $RESULT"
if [ -z "$RESULT" ]; then

8
bin/hardening/8.1.10_record_dac_edit.sh
View File

@ -23,16 +23,22 @@ FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode

8
bin/hardening/8.1.11_record_failed_access_file.sh
View File

@ -21,16 +21,22 @@ FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode

11
bin/hardening/8.1.12_record_privileged_commands.sh
View File

@ -14,23 +14,30 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
# Find all files with setuid or setgid set
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
SUDO_CMD='sudo -n'
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \
-k privileged" }')
FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode

8
bin/hardening/8.1.13_record_successful_mount.sh
View File

@ -19,16 +19,22 @@ FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode

8
bin/hardening/8.1.14_record_file_deletions.sh
View File

@ -19,16 +19,22 @@ FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode

8
bin/hardening/8.1.15_record_sudoers_edit.sh
View File

@ -19,16 +19,22 @@ FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode

8
bin/hardening/8.1.16_record_sudo_usage.sh
View File

@ -18,16 +18,22 @@ FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode

8
bin/hardening/8.1.17_record_kernel_modules.sh
View File

@ -21,16 +21,22 @@ FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode

8
bin/hardening/8.1.18_freeze_auditd_conf.sh
View File

@ -18,16 +18,22 @@ FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode

8
bin/hardening/8.1.4_record_date_time_edit.sh
View File

@ -22,16 +22,22 @@ FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode

8
bin/hardening/8.1.5_record_user_group_edit.sh
View File

@ -22,16 +22,22 @@ FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode

8
bin/hardening/8.1.6_record_network_edit.sh
View File

@ -23,16 +23,22 @@ FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode

8
bin/hardening/8.1.7_record_mac_edit.sh
View File

@ -18,16 +18,22 @@ FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode

8
bin/hardening/8.1.8_record_login_logout.sh
View File

@ -20,16 +20,22 @@ FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode

8
bin/hardening/8.1.9_record_session_init.sh
View File

@ -20,16 +20,22 @@ FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE $AUDIT_VALUE
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will be called if the script status is on enabled mode