From befd3acdde487ae934cda3ebbd2a79cd2146b6e9 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 14 Apr 2016 14:43:26 +0200 Subject: [PATCH] 8.1.10_record_dac_edit.sh 8.1.6_record_network_edit.sh 8.1.7_record_mac_edit.sh 8.1.8_record_login_logout.sh 8.1.9_record_session_init.sh --- bin/hardening/8.1.10_record_dac_edit.sh | 70 ++++++++++++++++++++++ bin/hardening/8.1.6_record_network_edit.sh | 70 ++++++++++++++++++++++ bin/hardening/8.1.7_record_mac_edit.sh | 65 ++++++++++++++++++++ bin/hardening/8.1.8_record_login_logout.sh | 67 +++++++++++++++++++++ bin/hardening/8.1.9_record_session_init.sh | 67 +++++++++++++++++++++ etc/conf.d/8.1.10_record_dac_edit.cfg | 2 + etc/conf.d/8.1.6_record_network_edit.cfg | 2 + etc/conf.d/8.1.7_record_mac_edit.cfg | 2 + etc/conf.d/8.1.8_record_login_logout.cfg | 2 + etc/conf.d/8.1.9_record_session_init.cfg | 2 + 10 files changed, 349 insertions(+) create mode 100755 bin/hardening/8.1.10_record_dac_edit.sh create mode 100755 bin/hardening/8.1.6_record_network_edit.sh create mode 100755 bin/hardening/8.1.7_record_mac_edit.sh create mode 100755 bin/hardening/8.1.8_record_login_logout.sh create mode 100755 bin/hardening/8.1.9_record_session_init.sh create mode 100644 etc/conf.d/8.1.10_record_dac_edit.cfg create mode 100644 etc/conf.d/8.1.6_record_network_edit.cfg create mode 100644 etc/conf.d/8.1.7_record_mac_edit.cfg create mode 100644 etc/conf.d/8.1.8_record_login_logout.cfg create mode 100644 etc/conf.d/8.1.9_record_session_init.cfg diff --git a/bin/hardening/8.1.10_record_dac_edit.sh b/bin/hardening/8.1.10_record_dac_edit.sh new file mode 100755 index 0000000..88d8fee --- /dev/null +++ b/bin/hardening/8.1.10_record_dac_edit.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.10 Collect Discretionary Access Control Permission Modification Events (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.6_record_network_edit.sh b/bin/hardening/8.1.6_record_network_edit.sh new file mode 100755 index 0000000..b6385e6 --- /dev/null +++ b/bin/hardening/8.1.6_record_network_edit.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.6 Record Events That Modify the System's Network Environment (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.7_record_mac_edit.sh b/bin/hardening/8.1.7_record_mac_edit.sh new file mode 100755 index 0000000..41b8e98 --- /dev/null +++ b/bin/hardening/8.1.7_record_mac_edit.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.7 Record Events That Modify the System's Mandatory Access Controls (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.8_record_login_logout.sh b/bin/hardening/8.1.8_record_login_logout.sh new file mode 100755 index 0000000..8949f90 --- /dev/null +++ b/bin/hardening/8.1.8_record_login_logout.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.8 Collect Login and Logout Events (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.9_record_session_init.sh b/bin/hardening/8.1.9_record_session_init.sh new file mode 100755 index 0000000..c2d0474 --- /dev/null +++ b/bin/hardening/8.1.9_record_session_init.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.9 Collect Session Initiation Information (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k session +-w /var/log/btmp -p wa -k session' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/8.1.10_record_dac_edit.cfg b/etc/conf.d/8.1.10_record_dac_edit.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.10_record_dac_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.6_record_network_edit.cfg b/etc/conf.d/8.1.6_record_network_edit.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.6_record_network_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.7_record_mac_edit.cfg b/etc/conf.d/8.1.7_record_mac_edit.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.7_record_mac_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.8_record_login_logout.cfg b/etc/conf.d/8.1.8_record_login_logout.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.8_record_login_logout.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.9_record_session_init.cfg b/etc/conf.d/8.1.9_record_session_init.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.9_record_session_init.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled