diff --git a/bin/hardening/aide_daily_check.sh b/bin/hardening/aide_daily_check.sh new file mode 100755 index 0000000..b01845d --- /dev/null +++ b/bin/hardening/aide_daily_check.sh @@ -0,0 +1,82 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# Ensure AIDE daily checks (Automated) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Ensure AIDE daily checks" +SERVICE="dailyaidecheck.service" +TIMER="dailyaidecheck.timer" + +# This function will be called if the script status is on enabled / audit mode +audit() { + SERVICE_ENABLED=1 + TIMER_ENABLED=1 + + is_service_enabled "$SERVICE" + if [ "$FNRET" -eq 0 ]; then + SERVICE_ENABLED=0 + ok "$SERVICE is enabled" + else + crit "$SERVICE is not enabled" + fi + + is_timer_enabled "$TIMER" + if [ "$FNRET" -eq 0 ]; then + TIMER_ENABLED=0 + ok "$TIMER is enabled" + else + crit "$TIMER is not enabled" + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$SERVICE_ENABLED" -ne 0 ]; then + info "unmasking and enabling $SERVICE" + manage_service unmask "$SERVICE" + manage_service enable "$SERVICE" + fi + + if [ "$TIMER_ENABLED" -ne 0 ]; then + info "unmasking and enabling $TIMER" + manage_service unmask "$TIMER" + manage_service enable "$TIMER" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_LIB_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_LIB_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "${CIS_LIB_DIR}"/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "${CIS_LIB_DIR}"/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/journald_is_enabled.sh b/bin/hardening/journald_is_enabled.sh new file mode 100755 index 0000000..c108d65 --- /dev/null +++ b/bin/hardening/journald_is_enabled.sh @@ -0,0 +1,81 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# Ensure journald service is enabled and active (Automated) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Ensure journald service is enabled and active" +SERVICE="systemd-journald.service" + +# This function will be called if the script status is on enabled / audit mode +audit() { + SERVICE_ENABLED=1 + SERVICE_ACTIVE=1 + + is_service_enabled "$SERVICE" + if [ "$FNRET" -eq 0 ]; then + ok "$SERVICE is enabled" + SERVICE_ENABLED=0 + else + crit "$SERVICE is not enabled" + fi + + is_service_active "$SERVICE" + if [ "$FNRET" -eq 0 ]; then + ok "$SERVICE is active" + SERVICE_ACTIVE=0 + else + crit "$SERVICE is not active" + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$SERVICE_ENABLED" -ne 0 ]; then + info "unmasking and enabling $SERVICE" + manage_service unmask "$SERVICE" + manage_service enable "$SERVICE" + fi + + if [ "$SERVICE_ACTIVE" -ne 0 ]; then + info "starting $SERVICE" + manage_service start "$SERVICE" + fi + +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_LIB_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_LIB_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "${CIS_LIB_DIR}"/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "${CIS_LIB_DIR}"/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/systemd_journal_remote_is_disabled.sh b/bin/hardening/systemd_journal_remote_is_disabled.sh new file mode 100755 index 0000000..e89710d --- /dev/null +++ b/bin/hardening/systemd_journal_remote_is_disabled.sh @@ -0,0 +1,112 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# Ensure systemd-journal-remote service is not in use (Automated) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Ensure systemd-journal-remote service is not in use : client is able to send logs, not receive them" +SERVICE="systemd-journal-remote.service" +SOCKET="systemd-journal-remote.socket" + +# This function will be called if the script status is on enabled / audit mode +audit() { + SERVICE_ENABLED=1 + SERVICE_ACTIVE=1 + SOCKET_ENABLED=1 + SOCKET_ACTIVE=1 + + is_service_enabled "$SERVICE" + if [ "$FNRET" -eq 0 ]; then + crit "$SERVICE is enabled" + SERVICE_ENABLED=0 + else + ok "$SERVICE is not enabled" + fi + + is_service_active "$SERVICE" + if [ "$FNRET" -eq 0 ]; then + crit "$SERVICE is active" + SERVICE_ACTIVE=0 + else + ok "$SERVICE is not active" + fi + + is_socket_enabled "$SOCKET" + if [ "$FNRET" -eq 0 ]; then + crit "$SOCKET is enabled" + SOCKET_ENABLED=0 + else + ok "$SOCKET is not enabled" + fi + + is_socket_active "$SOCKET" + if [ "$FNRET" -eq 0 ]; then + crit "$SOCKET is active" + SOCKET_ACTIVE=0 + else + ok "$SOCKET is not active" + fi + +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$SERVICE_ENABLED" -eq 0 ]; then + info "Disabling and masking $SERVICE" + manage_service disable "$SERVICE" + manage_service mask "$SERVICE" + fi + + if [ "$SERVICE_ACTIVE" -eq 0 ]; then + info "Stopping $SERVICE" + manage_service stop "$SERVICE" + fi + + if [ "$SOCKET_ENABLED" -eq 0 ]; then + info "Disabling and masking $SOCKET" + manage_service disable "$SOCKET" + manage_service mask "$SOCKET" + fi + + if [ "$SOCKET_ACTIVE" -eq 0 ]; then + info "Stopping $SOCKET" + manage_service stop "$SOCKET" + fi + +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_LIB_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_LIB_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "${CIS_LIB_DIR}"/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "${CIS_LIB_DIR}"/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/systemd_journal_remote_is_installed.sh b/bin/hardening/systemd_journal_remote_is_installed.sh new file mode 100755 index 0000000..647e6d8 --- /dev/null +++ b/bin/hardening/systemd_journal_remote_is_installed.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# Ensure systemd-journal-remote is installed (Automated) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Ensure systemd-journal-remote is installed" +PACKAGE="systemd-journal-remote" + +# This function will be called if the script status is on enabled / audit mode +audit() { + PACKAGE_INSTALLED=1 + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then + crit "$PACKAGE is absent!" + else + PACKAGE_INSTALLED=0 + ok "$PACKAGE is installed" + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$PACKAGE_INSTALLED" -eq 1 ]; then + info "installing '$PACKAGE'" + apt_install "$PACKAGE" + info "'$PACKAGE' installed" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_LIB_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_LIB_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "${CIS_LIB_DIR}"/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "${CIS_LIB_DIR}"/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/bin/hardening/systemd_journal_upload_is_enabled.sh b/bin/hardening/systemd_journal_upload_is_enabled.sh new file mode 100755 index 0000000..5b975c0 --- /dev/null +++ b/bin/hardening/systemd_journal_upload_is_enabled.sh @@ -0,0 +1,79 @@ +#!/bin/bash + +# run-shellcheck +# +# CIS Debian Hardening +# + +# +# Ensure systemd-journal-upload is enabled and active (Automated) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# shellcheck disable=2034 +HARDENING_LEVEL=3 +# shellcheck disable=2034 +DESCRIPTION="Ensure systemd-journal-upload is enabled and active" +SERVICE="systemd-journal-upload.service" + +# This function will be called if the script status is on enabled / audit mode +audit() { + SERVICE_ENABLED=1 + SERVICE_ACTIVE=1 + + is_service_enabled "$SERVICE" + if [ "$FNRET" -eq 0 ]; then + ok "$SERVICE is enabled" + SERVICE_ENABLED=0 + else + crit "$SERVICE is not enabled" + fi + + is_service_active "$SERVICE" + if [ "$FNRET" -eq 0 ]; then + ok "$SERVICE is active" + SERVICE_ACTIVE=0 + else + crit "$SERVICE is not active" + fi +} + +# This function will be called if the script status is on enabled mode +apply() { + if [ "$SERVICE_ENABLED" -ne 0 ]; then + manage_service unmask "$SERVICE" + manage_service enable "$SERVICE" + fi + + if [ "$SERVICE_ACTIVE" -ne 0 ]; then + manage_service start "$SERVICE" + fi + +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + # shellcheck source=../../debian/default + . /etc/default/cis-hardening +fi +if [ -z "$CIS_LIB_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_LIB_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r "${CIS_LIB_DIR}"/main.sh ]; then + # shellcheck source=../../lib/main.sh + . "${CIS_LIB_DIR}"/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/tests/hardening/aide_daily_check.sh b/tests/hardening/aide_daily_check.sh new file mode 100644 index 0000000..b9b529d --- /dev/null +++ b/tests/hardening/aide_daily_check.sh @@ -0,0 +1,10 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + # running on a container, not much to test here + describe Running on blank host + register_test retvalshouldbe 1 + # shellcheck disable=2154 + run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + +} diff --git a/tests/hardening/journald_is_enabled.sh b/tests/hardening/journald_is_enabled.sh new file mode 100644 index 0000000..c2dc702 --- /dev/null +++ b/tests/hardening/journald_is_enabled.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + + # not much to test here, we are running in a container, we wont check service state + describe Checking blank host + register_test retvalshouldbe 1 + # shellcheck disable=2154 + run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + +} diff --git a/tests/hardening/systemd_journal_remote_is_disabled.sh b/tests/hardening/systemd_journal_remote_is_disabled.sh new file mode 100644 index 0000000..7aefc09 --- /dev/null +++ b/tests/hardening/systemd_journal_remote_is_disabled.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + + # not much to test here, we are running in a container, we wont check service state + describe Checking blank host + register_test retvalshouldbe 0 + # shellcheck disable=2154 + run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + +} diff --git a/tests/hardening/systemd_journal_remote_is_installed.sh b/tests/hardening/systemd_journal_remote_is_installed.sh new file mode 100644 index 0000000..09fd036 --- /dev/null +++ b/tests/hardening/systemd_journal_remote_is_installed.sh @@ -0,0 +1,23 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + describe set up failed check + apt remove -y systemd-journal-remote + + describe Running failed test + register_test retvalshouldbe 1 + # shellcheck disable=2154 + run failure "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + describe Fix situation + sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg" + "${CIS_CHECKS_DIR}/${script}.sh" --apply || true + + describe running successfull audit + register_test retvalshouldbe 0 + # shellcheck disable=2154 + run success "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + + apt remove -y systemd-journal-remote + apt autoremove -y +} diff --git a/tests/hardening/systemd_journal_upload_is_enabled.sh b/tests/hardening/systemd_journal_upload_is_enabled.sh new file mode 100644 index 0000000..c2dc702 --- /dev/null +++ b/tests/hardening/systemd_journal_upload_is_enabled.sh @@ -0,0 +1,11 @@ +# shellcheck shell=bash +# run-shellcheck +test_audit() { + + # not much to test here, we are running in a container, we wont check service state + describe Checking blank host + register_test retvalshouldbe 1 + # shellcheck disable=2154 + run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all + +}