mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-23 14:35:26 +01:00
13.1_remove_empty_password_field.sh 13.2_remove_legacy_passwd_entries.sh 13.3_remove_legacy_shadow_entries.sh 13.4_remove_legacy_group_entries.sh 13.5_find_0_uid_non_root_account.sh 13.6_sanitize_root_path.sh
This commit is contained in:
parent
dbc24bb8d7
commit
b24a415dce
@ -6,7 +6,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 10.1.3 Set Password Expiring Warning Days (Scored)
|
||||
# 10.3 Set Default Group for root Account (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
|
@ -6,7 +6,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 10.4 Set Default umask for Users (Scored)
|
||||
# 10.5 Lock Inactive User Accounts (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
|
@ -17,7 +17,7 @@ FILE='/etc/shadow'
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if accounts have empty passwords"
|
||||
RESULT=$(/bin/cat $FILE | /usr/bin/awk -F: '($2 == "" ) { print $1 }')
|
||||
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some accounts have empty passwords"
|
||||
crit $RESULT
|
||||
@ -28,7 +28,7 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
RESULT=$(/bin/cat $FILE | /usr/bin/awk -F: '($2 == "" ) { print $1 }')
|
||||
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
warn "Some accounts have empty passwords"
|
||||
for ACCOUNT in $RESULT; do
|
61
bin/hardening/13.2_remove_legacy_passwd_entries.sh
Executable file
61
bin/hardening/13.2_remove_legacy_passwd_entries.sh
Executable file
@ -0,0 +1,61 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/passwd'
|
||||
RESULT=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if accounts have empty passwords"
|
||||
if grep '^+:' $FILE -q; then
|
||||
RESULT=$(grep '^+:' $FILE)
|
||||
crit "Some accounts have legacy password entry"
|
||||
crit $RESULT
|
||||
else
|
||||
ok "All accounts have a valid password entry format"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if grep '^+:' $FILE -q; then
|
||||
RESULT=$(grep '^+:' $FILE)
|
||||
warn "Some accounts have legacy password entry"
|
||||
for LINE in $RESULT; do
|
||||
info "Removing $LINE from $FILE"
|
||||
delete_line_in_file $FILE $LINE
|
||||
done
|
||||
else
|
||||
ok "All accounts have a valid password entry format"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
61
bin/hardening/13.3_remove_legacy_shadow_entries.sh
Executable file
61
bin/hardening/13.3_remove_legacy_shadow_entries.sh
Executable file
@ -0,0 +1,61 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/shadow'
|
||||
RESULT=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if accounts have empty passwords"
|
||||
if grep '^+:' $FILE -q; then
|
||||
RESULT=$(grep '^+:' $FILE)
|
||||
crit "Some accounts have legacy password entry"
|
||||
crit $RESULT
|
||||
else
|
||||
ok "All accounts have a valid password entry format"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if grep '^+:' $FILE -q; then
|
||||
RESULT=$(grep '^+:' $FILE)
|
||||
warn "Some accounts have legacy password entry"
|
||||
for LINE in $RESULT; do
|
||||
info "Removing $LINE from $FILE"
|
||||
delete_line_in_file $FILE $LINE
|
||||
done
|
||||
else
|
||||
ok "All accounts have a valid password entry format"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
61
bin/hardening/13.4_remove_legacy_group_entries.sh
Executable file
61
bin/hardening/13.4_remove_legacy_group_entries.sh
Executable file
@ -0,0 +1,61 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/group'
|
||||
RESULT=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if accounts have empty passwords"
|
||||
if grep '^+:' $FILE -q; then
|
||||
RESULT=$(grep '^+:' $FILE)
|
||||
crit "Some accounts have legacy password entry"
|
||||
crit $RESULT
|
||||
else
|
||||
ok "All accounts have a valid password entry format"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if grep '^+:' $FILE -q; then
|
||||
RESULT=$(grep '^+:' $FILE)
|
||||
warn "Some accounts have legacy password entry"
|
||||
for LINE in $RESULT; do
|
||||
info "Removing $LINE from $FILE"
|
||||
delete_line_in_file $FILE $LINE
|
||||
done
|
||||
else
|
||||
ok "All accounts have a valid password entry format"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
65
bin/hardening/13.5_find_0_uid_non_root_account.sh
Executable file
65
bin/hardening/13.5_find_0_uid_non_root_account.sh
Executable file
@ -0,0 +1,65 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/passwd'
|
||||
RESULT=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if accounts have uid 0"
|
||||
RESULT=$(cat $FILE | awk -F: '($3 == 0 && $1!="root" ) { print $1 }')
|
||||
for ACCOUNT in $RESULT; do
|
||||
debug "Account : $ACCOUNT"
|
||||
debug "Exceptions : $EXCEPTIONS"
|
||||
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
||||
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
|
||||
debug "$ACCOUNT is confirmed as an exception"
|
||||
RESULT=$(sed "s!$ACCOUNT!!" <<< "$RESULT")
|
||||
else
|
||||
debug "$ACCOUNT not found in exceptions"
|
||||
fi
|
||||
done
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some accounts have uid 0"
|
||||
crit $RESULT
|
||||
else
|
||||
ok "No account with suid 0 apart root"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Removing accounts with uid 0 may seriously harm your system, report only here"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ -z "$EXCEPTIONS" ]; then
|
||||
EXCEPTIONS="@"
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
84
bin/hardening/13.6_sanitize_root_path.sh
Executable file
84
bin/hardening/13.6_sanitize_root_path.sh
Executable file
@ -0,0 +1,84 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 13.6 Ensure root PATH Integrity (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
if [ "`echo $PATH | grep :: `" != "" ]; then
|
||||
crit "Empty Directory in PATH (::)"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
if [ "`echo $PATH | grep :$`" != "" ]; then
|
||||
crit "Trailing : in PATH $PATH"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
FORMATTED_PATH=$(echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
|
||||
set -- $FORMATTED_PATH
|
||||
while [ "${1:-}" != "" ]; do
|
||||
if [ "$1" = "." ]; then
|
||||
crit "PATH contains ."
|
||||
ERRORS=$((ERRORS+1))
|
||||
else
|
||||
if [ -d $1 ]; then
|
||||
dirperm=$(ls -ldH $1 | cut -f1 -d" ")
|
||||
if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
|
||||
crit "Group Write permission set on directory $1"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
|
||||
crit "Other Write permission set on directory $1"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
dirown=$(ls -ldH $1 | awk '{print $3}')
|
||||
if [ "$dirown" != "root" ] ; then
|
||||
crit "$1 is not owned by root"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
else
|
||||
crit "$1 is not a directory"
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
fi
|
||||
shift
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "root PATH is secure"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Editing items from PATH may seriously harm your system, report only here"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
16
bin/hardenning.sh
Normal file
16
bin/hardenning.sh
Normal file
@ -0,0 +1,16 @@
|
||||
#!/bin/bash
|
||||
|
||||
# CIs Deb
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# Main script : Execute hardening considering configuration
|
||||
#
|
||||
|
||||
# Execute blindly binaries
|
||||
# Audit mode
|
||||
|
||||
# ls | sort -n
|
2
etc/conf.d/13.2_remove_legacy_passwd_entries.cfg
Normal file
2
etc/conf.d/13.2_remove_legacy_passwd_entries.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/13.3_remove_legacy_shadow_entries.cfg
Normal file
2
etc/conf.d/13.3_remove_legacy_shadow_entries.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/13.4_remove_legacy_group_entries.cfg
Normal file
2
etc/conf.d/13.4_remove_legacy_group_entries.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
4
etc/conf.d/13.5_find_0_uid_non_root_account.cfg
Normal file
4
etc/conf.d/13.5_find_0_uid_non_root_account.cfg
Normal file
@ -0,0 +1,4 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
||||
# Put here valid accounts with uid 0 separated by spaces
|
||||
EXCEPTIONS=""
|
2
etc/conf.d/13.6_sanitize_root_path.cfg
Normal file
2
etc/conf.d/13.6_sanitize_root_path.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
@ -125,7 +125,7 @@ add_line_file_before_pattern() {
|
||||
|
||||
backup_file "$FILE"
|
||||
debug "Inserting $LINE before $PATTERN in $FILE"
|
||||
PATTERN=$(sed 's@/@\/@g' <<< $PATTERN)
|
||||
PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN)
|
||||
debug "sed -i '/$PATTERN/i $LINE' $FILE"
|
||||
sed -i "/$PATTERN/i $LINE" $FILE
|
||||
FNRET=0
|
||||
@ -138,7 +138,7 @@ replace_in_file() {
|
||||
|
||||
backup_file "$FILE"
|
||||
debug "Replacing $SOURCE to $DESTINATION in $FILE"
|
||||
SOURCE=$(sed 's@/@\/@g' <<< $SOURCE)
|
||||
SOURCE=$(sed 's@/@\\\/@g' <<< $PATTERN)
|
||||
debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
|
||||
sed -i "s/$SOURCE/$DESTINATION/g" $FILE
|
||||
FNRET=0
|
||||
@ -150,7 +150,7 @@ delete_line_in_file() {
|
||||
|
||||
backup_file "$FILE"
|
||||
debug "Deleting lines from $FILE containing $PATTERN"
|
||||
PATTERN=$(sed 's@/@\/@g' <<< $PATTERN)
|
||||
PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN)
|
||||
debug "sed -i '/$PATTERN/d' $FILE"
|
||||
sed -i "/$PATTERN/d" $FILE
|
||||
FNRET=0
|
||||
|
Loading…
Reference in New Issue
Block a user