1
0
mirror of https://github.com/ovh/debian-cis.git synced 2025-01-14 08:35:49 +01:00

Merge pull request from speed47/dev/enhancements

Hardening Classification
subs enhancements as well as bug fixes
This commit is contained in:
Thibault Dewailly 2017-09-28 13:22:59 +02:00 committed by GitHub
commit b6aba4cc88
386 changed files with 701 additions and 449 deletions
AUTHORS
bin
hardening.sh
hardening
1.1_install_updates.sh10.1.1_set_password_exp_days.sh10.1.2_set_password_min_days_change.sh10.1.3_set_password_exp_warning_days.sh10.2_disable_system_accounts.sh10.3_default_root_group.sh10.4_default_umask.sh10.5_lock_inactive_user_account.sh11.1_warning_banners.sh11.2_remove_os_info_warning_banners.sh11.3_graphical_warning_banners.sh12.10_find_suid_files.sh12.11_find_sgid_files.sh12.1_etc_passwd_permissions.sh12.2_etc_shadow_permissions.sh12.3_etc_group_permissions.sh12.4_etc_passwd_ownership.sh12.5_etc_shadow_ownership.sh12.6_etc_group_ownership.sh12.7_find_world_writable_file.sh12.8_find_unowned_files.sh12.9_find_ungrouped_files.sh13.10_find_user_rhosts_files.sh13.11_find_passwd_group_inconsistencies.sh13.12_users_valid_homedir.sh13.13_check_user_homedir_ownership.sh13.14_check_duplicate_uid.sh13.15_check_duplicate_gid.sh13.16_check_duplicate_username.sh13.17_check_duplicate_groupname.sh13.18_find_user_netrc_files.sh13.19_find_user_forward_files.sh13.1_remove_empty_password_field.sh13.20_shadow_group_empty.sh13.2_remove_legacy_passwd_entries.sh13.3_remove_legacy_shadow_entries.sh13.4_remove_legacy_group_entries.sh13.5_find_0_uid_non_root_account.sh13.6_sanitize_root_path.sh13.7_check_user_dir_perm.sh13.8_check_user_dot_file_perm.sh13.9_set_perm_on_user_netrc.sh2.10_home_nodev.sh2.11_removable_device_nodev.sh2.12_removable_device_noexec.sh2.13_removable_device_nosuid.sh2.14_run_shm_nodev.sh2.15_run_shm_nosuid.sh2.16_run_shm_noexec.sh2.17_sticky_bit_world_writable_folder.sh2.18_disable_cramfs.sh2.19_disable_freevxfs.sh2.1_tmp_partition.sh2.20_disable_jffs2.sh2.21_disable_hfs.sh2.22_disable_hfsplus.sh2.23_disable_squashfs.sh2.24_disable_udf.sh2.25_disable_automounting.sh2.2_tmp_nodev.sh2.3_tmp_nosuid.sh2.4_tmp_noexec.sh2.5_var_partition.sh2.6.1_var_tmp_partition.sh2.6.2_var_tmp_nodev.sh2.6.3_var_tmp_nosuid.sh2.6.4_var_tmp_noexec.sh2.7_var_log_partition.sh2.8_var_log_audit_partition.sh2.9_home_partition.sh3.1_bootloader_ownership.sh3.2_bootloader_permissions.sh3.3_bootloader_password.sh3.4_root_password.sh4.1_restrict_core_dumps.sh4.2_enable_nx_support.sh4.3_enable_randomized_vm_placement.sh4.4_disable_prelink.sh4.5_enable_apparmor.sh5.1.1_disable_nis.sh5.1.2_disable_rsh.sh5.1.3_disable_rsh_client.sh5.1.4_disable_talk.sh5.1.5_disable_talk_client.sh5.1.6_disable_telnet_server.sh5.1.7_disable_tftp_server.sh5.1.8_disable_inetd.sh5.2_disable_chargen.sh5.3_disable_daytime.sh5.4_disable_echo.sh5.5_disable_discard.sh5.6_disable_time.sh6.10_disable_http_server.sh6.11_disable_imap_pop.sh6.12_disable_samba.sh6.13_disable_http_proxy.sh6.14_disable_snmp_server.sh6.15_mta_localhost.sh

View File

@ -2,6 +2,7 @@ Contributors of this project :
Developers :
Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
Stéphane Lesimple, OVH <stephane.lesimple@corp.ovh.com>
Debian package maintainers :
Kevin Tanguy, OVH <kevin.tanguy@corp.ovh.com>

View File

@ -20,11 +20,13 @@ AUDIT=0
APPLY=0
AUDIT_ALL=0
AUDIT_ALL_ENABLE_PASSED=0
ALLOW_SERVICE_LIST=0
SET_HARDENING_LEVEL=0
CIS_ROOT_DIR=''
usage() {
cat << EOF
$LONG_SCRIPT_NAME RUN_MODE, where RUN_MODE is one of:
$LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
--help -h
Show this help
@ -53,6 +55,35 @@ $LONG_SCRIPT_NAME RUN_MODE, where RUN_MODE is one of:
Don't run this if you have already customized the scripts enable/disable
configurations, obviously.
--set-hardening-level <level>
Modifies the configuration to enable/disable tests given an hardening level,
between 1 to 5. Don't run this if you have already customized the scripts
enable/disable configurations.
1: very basic policy, failure to pass tests at this level indicates severe
misconfiguration of the machine that can have a huge security impact
2: basic policy, some good practice rules that, once applied, shouldn't
break anything on most systems
3: best practices policy, passing all tests might need some configuration
modifications (such as specific partitioning, etc.)
4: high security policy, passing all tests might be time-consuming and
require high adaptation of your workflow
5: placebo, policy rules that might be very difficult to apply and maintain,
with questionable security benefits
--allow-service <service>
Use with --set-hardening-level.
Modifies the policy to allow a certain kind of services on the machine, such
as http, mail, etc. Can be specified multiple times to allow multiple services.
Use --allow-service-list to get a list of supported services.
OPTIONS:
--only <test_number>
Modifies the RUN_MODE to only work on the test_number script.
Can be specified multiple times to work only on several scripts.
The test number is the numbered prefix of the script,
i.e. the test number of 1.2_script_name.sh is 1.2.
EOF
exit 0
}
@ -61,6 +92,8 @@ if [ $# = 0 ]; then
usage
fi
declare -a TEST_LIST ALLOWED_SERVICES_LIST
# Arguments parsing
while [[ $# > 0 ]]; do
ARG="$1"
@ -77,6 +110,21 @@ while [[ $# > 0 ]]; do
--apply)
APPLY=1
;;
--allow-service-list)
ALLOW_SERVICE_LIST=1
;;
--allow-service)
ALLOWED_SERVICES_LIST[${#ALLOWED_SERVICES_LIST[@]}]="$2"
shift
;;
--set-hardening-level)
SET_HARDENING_LEVEL="$2"
shift
;;
--only)
TEST_LIST[${#TEST_LIST[@]}]="$2"
shift
;;
-h|--help)
usage
;;
@ -104,8 +152,51 @@ fi
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
# If --allow-service-list is specified, don't run anything, just list the supported services
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
declare -a HARDENING_EXCEPTIONS_LIST
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
template=$(grep "^HARDENING_EXCEPTION=" "$SCRIPT" | cut -d= -f2)
[ -n "$template" ] && HARDENING_EXCEPTIONS_LIST[${#HARDENING_EXCEPTIONS_LIST[@]}]="$template"
done
echo "Supported services are: "$(echo "${HARDENING_EXCEPTIONS_LIST[@]}" | tr " " "\n" | sort -u | tr "\n" " ")
exit 0
fi
# If --set-hardening-level is specified, don't run anything, just apply config for each script
if [ -n "$SET_HARDENING_LEVEL" -a "$SET_HARDENING_LEVEL" != 0 ] ; then
if ! grep -q "^[12345]$" <<< "$SET_HARDENING_LEVEL" ; then
echo "Bad --set-hardening-level specified ('$SET_HARDENING_LEVEL'), expected 1 to 5"
exit 1
fi
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
SCRIPT_BASENAME=$(basename $SCRIPT .sh)
script_level=$(grep "^HARDENING_LEVEL=" "$SCRIPT" | cut -d= -f2)
if [ -z "$script_level" ] ; then
echo "The script $SCRIPT_BASENAME doesn't have a hardening level, configuration untouched for it"
continue
fi
wantedstatus=disabled
[ "$script_level" -le "$SET_HARDENING_LEVEL" ] && wantedstatus=enabled
sed -i -re "s/^status=.+/status=$wantedstatus/" $CIS_ROOT_DIR/etc/conf.d/$SCRIPT_BASENAME.cfg
done
echo "Configuration modified to enable scripts for hardening level at or below $SET_HARDENING_LEVEL"
exit 0
fi
# Parse every scripts and execute them in the required mode
for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening/*.sh -v); do
if [ ${#TEST_LIST[@]} -gt 0 ] ; then
# --only X has been specified at least once, is this script in my list ?
SCRIPT_PREFIX=$(grep -Eo '^[0-9.]+' <<< "$(basename $SCRIPT)")
SCRIPT_PREFIX_RE=$(sed -e 's/\./\\./g' <<< "$SCRIPT_PREFIX")
if ! grep -qEw "$SCRIPT_PREFIX_RE" <<< "${TEST_LIST[@]}"; then
# not in the list
continue
fi
fi
info "Treating $SCRIPT"
if [ $AUDIT = 1 ]; then

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if apt needs an update"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='login'
OPTIONS='PASS_MAX_DAYS=90'
FILE='/etc/login.defs'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='login'
OPTIONS='PASS_MIN_DAYS=7'
FILE='/etc/login.defs'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='login'
OPTIONS='PASS_WARN_AGE=7'
FILE='/etc/login.defs'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
SHELL='/bin/false'
FILE='/etc/passwd'
RESULT=''
@ -70,6 +72,15 @@ apply () {
fi
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here your exceptions concerning admin accounts shells separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
USER='root'
EXPECTED_GID='0'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
USER='root'
PATTERN='umask 077'
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Looking at the manual of useradd, it seems that this recommendation does not fill the title"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PERMISSIONS='644'
USER='root'
GROUP='root'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILES='/etc/motd /etc/issue /etc/issue.net'
PATTERN='(\\v|\\r|\\m|\\s)'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Not implemented yet"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are suid files"
@ -35,6 +37,15 @@ apply () {
info "Removing suid on valid binary may seriously harm your system, report only here"
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put Here your valid suid binaries so that they do not appear during the audit
EXCEPTIONS="/bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/fping /usr/bin/fping6 /usr/bin/gpasswd /usr/bin/mtr /usr/bin/newgrp /usr/bin/passwd /usr/bin/sudo /usr/bin/sudoedit /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/bin/at"
EOF
}
# This function will check config parameters required
check_config() {
# No param for this function

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are sgid files"
@ -35,6 +37,15 @@ apply () {
info "Removing sgid on valid binary may seriously harm your system, report only here"
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here valid binaries with sgid enabled separated by spaces
EXCEPTIONS="/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue /usr/bin/at /usr/bin/dotlockfile /usr/bin/mail-lock /usr/bin/mail-touchlock /usr/bin/mail-unlock"
EOF
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/passwd'
PERMISSIONS='644'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/shadow'
PERMISSIONS='640'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/group'
PERMISSIONS='644'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/passwd'
USER='root'
GROUP='root'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/shadow'
USER='root'
GROUP='shadow'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/group'
USER='root'
GROUP='root'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are world writable files"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
USER='root'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
GROUP='root'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
FILENAME=".rhosts"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
FILENAME='.netrc'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
FILENAME='.forward'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/shadow'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
ERRORS=0
FILEGROUP='/etc/group'
PATTERN='^shadow:x:[[:digit:]]+:'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/passwd'
RESULT=''

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/shadow'
RESULT=''

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
FILE='/etc/group'
RESULT=''

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/passwd'
RESULT=''
@ -33,7 +35,7 @@ audit () {
crit "Some accounts have uid 0"
crit $RESULT
else
ok "No account with uid 0 apart root"
ok "No account with uid 0 appart from root and potential configured exceptions"
fi
}
@ -42,6 +44,15 @@ apply () {
info "Removing accounts with uid 0 may seriously harm your system, report only here"
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here valid accounts with uid 0 separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
@ -86,6 +88,15 @@ apply () {
done
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=disabled
# Put here user home directories exceptions, separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
ERRORS=0
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PERMISSIONS="600"
ERRORS=0

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/home"
OPTION="nodev"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
# Quick factoring as many script use the same logic

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
# Quick factoring as many script use the same logic

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive
# Quick factoring as many script use the same logic

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/run/shm"
OPTION="nodev"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/run/shm"
OPTION="nosuid"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/run/shm"
OPTION="noexec"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if setuid is set on world writable Directories"

View File

@ -11,13 +11,15 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="cramfs"
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_CRAMFS"
MODULE_NAME="cramfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else

View File

@ -11,13 +11,15 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="freevxfs"
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_VXFS_FS"
MODULE_NAME="freevxfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/tmp"

View File

@ -11,13 +11,15 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="jffs2"
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_JFFS2_FS"
MODULE_NAME="jffs2"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_NAME
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else

View File

@ -11,13 +11,15 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="hfs"
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_HFS_FS"
MODULE_FILE="hfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else

View File

@ -11,13 +11,15 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="hfsplus"
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_HFSPLUS_FS"
MODULE_FILE="hfsplus"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else

View File

@ -11,13 +11,15 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="squashfs"
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_SQUASHFS"
MODULE_FILE="squashfs"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else

View File

@ -11,13 +11,15 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz
KERNEL_OPTION="udf"
HARDENING_LEVEL=2
KERNEL_OPTION="CONFIG_UDF_FS"
MODULE_FILE="udf"
# This function will be called if the script status is on enabled / audit mode
audit () {
is_kernel_option_enabled $KERNEL_OPTION
is_kernel_option_enabled $KERNEL_OPTION $MODULE_FILE
if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
crit "$KERNEL_OPTION is enabled!"
else

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SERVICE_NAME="autofs"
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="nodev"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="nosuid"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/tmp"
OPTION="noexec"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/var"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
OPTION="nodev"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
OPTION="nosuid"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/var/tmp"
OPTION="noexec"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/var/log"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=4
# Quick factoring as many script use the same logic
PARTITION="/var/log/audit"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
# Quick factoring as many script use the same logic
PARTITION="/home"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
# Assertion : Grub Based.
FILE='/boot/grub/grub.cfg'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
# Assertion : Grub Based.
FILE='/boot/grub/grub.cfg'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILE='/boot/grub/grub.cfg'
USER_PATTERN="^set superusers"
PWD_PATTERN="^password_pbkdf2"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
FILE="/etc/shadow"
PATTERN="^root:[*\!]:"

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
LIMIT_FILE='/etc/security/limits.conf'
LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
SYSCTL_PARAM='fs.suid_dumpable'

View File

@ -11,13 +11,34 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active'
# Check if the NX bit is supported and noexec=off hasn't been asked
nx_supported_and_enabled() {
if grep -q ' nx ' /proc/cpuinfo; then
# NX supported, but if noexec=off specified, it's not enabled
if grep -qi 'noexec=off' /proc/cmdline; then
FNRET=1 # supported but disabled
else
FNRET=0 # supported and enabled
fi
else
FNRET=1 # not supported
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in dmesg"
nx_supported_and_enabled
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi
@ -27,7 +48,12 @@ audit () {
apply () {
does_pattern_exist_in_dmesg $PATTERN
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in dmesg, please go to the bios to activate this option or change for CPU compatible"
nx_supported_and_enabled
if [ $FNRET != 0 ]; then
crit "$PATTERN is not present in dmesg and NX seems unsupported or disabled"
else
ok "NX is supported and enabled"
fi
else
ok "$PATTERN is present in dmesg"
fi

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
SYSCTL_PARAM='kernel.randomize_va_space'
SYSCTL_EXP_RESULT=2

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGE='prelink'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='apparmor'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='nis'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Based on aptitude search '~Prsh-server'
PACKAGES='rsh-server rsh-redone-server heimdal-servers'
FILE='/etc/inetd.conf'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Based on aptitude search '~Prsh-client', exluding ssh-client OFC
PACKAGES='rsh-client rsh-redone-client heimdal-clients'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='inetutils-talkd talkd'
FILE='/etc/inetd.conf'
PATTERN='^(talk|ntalk)'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='talk inetutils-talk'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
# Based on aptitude search '~Ptelnet-server'
PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
FILE='/etc/inetd.conf'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
PACKAGES='tftpd tftpd-hpa atftpd'
FILE='/etc/inetd.conf'
PATTERN='^tftp'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGES='openbsd-inetd xinetd rlinetd'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^chargen'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^daytime'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^echo'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^discard'

View File

@ -11,6 +11,8 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=2
FILE='/etc/inetd.conf'
PATTERN='^time'

View File

@ -11,6 +11,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=http
# Based on aptitude search '~Phttpd'
PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd'

View File

@ -11,6 +11,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=mail
# Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server'
PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail'

View File

@ -11,6 +11,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=samba
PACKAGES='samba'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=http
PACKAGES='squid3 squid'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=snmp
PACKAGES='snmpd'
# This function will be called if the script status is on enabled / audit mode

View File

@ -11,6 +11,9 @@
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
HARDENING_EXCEPTION=mail
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking netport ports opened"

Some files were not shown because too many files have changed in this diff Show More