mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-23 14:35:26 +01:00
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh
This commit is contained in:
parent
0cf8bd3dd8
commit
c5f2b41421
55
bin/hardening/7.4.1_install_tcp_wrapper.sh
Executable file
55
bin/hardening/7.4.1_install_tcp_wrapper.sh
Executable file
@ -0,0 +1,55 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 7.4.1 Install TCP Wrappers (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
PACKAGE='tcpd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PACKAGE is not installed !"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
56
bin/hardening/7.4.2_hosts_allow.sh
Executable file
56
bin/hardening/7.4.2_hosts_allow.sh
Executable file
@ -0,0 +1,56 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 7.4.2 Create /etc/hosts.allow (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/hosts.allow'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
else
|
||||
ok "$FILE exist"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$FILE does not exist, creating it"
|
||||
touch $FILE
|
||||
warn "You may want to fill it with allowed networks"
|
||||
else
|
||||
ok "$FILE exist"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
56
bin/hardening/7.4.3_hosts_allow_permissions.sh
Executable file
56
bin/hardening/7.4.3_hosts_allow_permissions.sh
Executable file
@ -0,0 +1,56 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 7.4.3 Verify Permissions on /etc/hosts.allow (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/hosts.allow'
|
||||
PERMISSIONS='644'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE has not $PERMISSIONS permissions set"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
70
bin/hardening/7.4.4_hosts_deny.sh
Executable file
70
bin/hardening/7.4.4_hosts_deny.sh
Executable file
@ -0,0 +1,70 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 7.4.4 Create /etc/hosts.deny (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/hosts.deny'
|
||||
PATTERN='ALL: ALL'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
else
|
||||
ok "$FILE exist, checking configuration"
|
||||
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PATTERN not present in $FILE, we have to deny everything"
|
||||
else
|
||||
ok "$PATTERN present in $FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$FILE does not exist, creating it"
|
||||
touch $FILE
|
||||
else
|
||||
ok "$FILE exist"
|
||||
fi
|
||||
does_pattern_exists_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PATTERN not present in $FILE, we have to deny everything"
|
||||
add_end_of_file $FILE "$PATTERN"
|
||||
warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING"
|
||||
else
|
||||
ok "$PATTERN present in $FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
56
bin/hardening/7.4.5_hosts_deny_permissions.sh
Executable file
56
bin/hardening/7.4.5_hosts_deny_permissions.sh
Executable file
@ -0,0 +1,56 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 7.4.5 Verify Permissions on /etc/hosts.deny (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/hosts.deny'
|
||||
PERMISSIONS='644'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
crit "$FILE has not $PERMISSIONS permissions set"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct permissions"
|
||||
else
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
42
bin/hardening/7.5.1_disable_dccp.sh
Executable file
42
bin/hardening/7.5.1_disable_dccp.sh
Executable file
@ -0,0 +1,42 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 7.5.1 Disable DCCP (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
42
bin/hardening/7.5.2_disable_sctp.sh
Executable file
42
bin/hardening/7.5.2_disable_sctp.sh
Executable file
@ -0,0 +1,42 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 7.5.2 Disable SCTP (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
42
bin/hardening/7.5.3_disable_rds.sh
Executable file
42
bin/hardening/7.5.3_disable_rds.sh
Executable file
@ -0,0 +1,42 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 7.5.2 Disable SCTP (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
42
bin/hardening/7.5.4_disable_tipc.sh
Executable file
42
bin/hardening/7.5.4_disable_tipc.sh
Executable file
@ -0,0 +1,42 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 7.5.2 Disable SCTP (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
42
bin/hardening/7.6_disable_wireless.sh
Executable file
42
bin/hardening/7.6_disable_wireless.sh
Executable file
@ -0,0 +1,42 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 7.6 Deactivate Wireless Interfaces (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
info "Not implemented yet"
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
58
bin/hardening/7.7_enable_firewall.sh
Executable file
58
bin/hardening/7.7_enable_firewall.sh
Executable file
@ -0,0 +1,58 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 7.4.1 Install TCP Wrappers (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Quick note here : CIS recommends your iptables rules to be persistent.
|
||||
# Do as you want, but this script does not handle this
|
||||
|
||||
PACKAGE='iptables'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PACKAGE is not installed !"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
57
bin/hardening/8.0_install_auditd.sh
Executable file
57
bin/hardening/8.0_install_auditd.sh
Executable file
@ -0,0 +1,57 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 8.0 Install auditd
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# Note : Not port of the CIS guide, but what's the point configuring a software not installed ? :)
|
||||
|
||||
PACKAGE='auditd'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PACKAGE is not installed !"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
is_pkg_installed $PACKAGE
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PACKAGE is installed"
|
||||
else
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
70
bin/hardening/8.1.1.1_audit_log_storage.sh
Executable file
70
bin/hardening/8.1.1.1_audit_log_storage.sh
Executable file
@ -0,0 +1,70 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# CIS Debian 7 Hardening
|
||||
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||
#
|
||||
|
||||
#
|
||||
# 8.1.1.1 Configure Audit Log Storage Size (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
FILE='/etc/audit/auditd.conf'
|
||||
PATTERN='max_log_file'
|
||||
VALUE=5
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$FILE does not exist"
|
||||
else
|
||||
ok "$FILE exist, checking configuration"
|
||||
does_pattern_exists_in_file $FILE "^$PATTERN[[:space:]]"
|
||||
if [ $FNRET != 0 ]; then
|
||||
crit "$PATTERN not present in $FILE, we have to deny everything"
|
||||
else
|
||||
ok "$PATTERN present in $FILE"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
does_file_exist $FILE
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$FILE does not exist, creating it"
|
||||
touch $FILE
|
||||
else
|
||||
ok "$FILE exist"
|
||||
fi
|
||||
does_pattern_exists_in_file $FILE "^$PATTERN[[:space:]]"
|
||||
if [ $FNRET != 0 ]; then
|
||||
warn "$PATTERN not present in $FILE, adding it"
|
||||
add_end_of_file $FILE "$PATTERN = $VALUE"
|
||||
else
|
||||
ok "$PATTERN present in $FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||
exit 128
|
||||
else
|
||||
. /etc/default/cis-hardenning
|
||||
if [ -z $CIS_ROOT_DIR ]; then
|
||||
echo "No CIS_ROOT_DIR variable, aborting"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
2
etc/conf.d/7.4.1_install_tcp_wrapper.cfg
Normal file
2
etc/conf.d/7.4.1_install_tcp_wrapper.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/7.4.2_hosts_allow.cfg
Normal file
2
etc/conf.d/7.4.2_hosts_allow.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/7.4.3_hosts_allow_permissions.cfg
Normal file
2
etc/conf.d/7.4.3_hosts_allow_permissions.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/7.4.4_hosts_deny.cfg
Normal file
2
etc/conf.d/7.4.4_hosts_deny.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/7.4.5_hosts_deny_permissions.cfg
Normal file
2
etc/conf.d/7.4.5_hosts_deny_permissions.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/7.5.1_disable_dccp.cfg
Normal file
2
etc/conf.d/7.5.1_disable_dccp.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/7.5.2_disable_sctp.cfg
Normal file
2
etc/conf.d/7.5.2_disable_sctp.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/7.6_disable_wireless.cfg
Normal file
2
etc/conf.d/7.6_disable_wireless.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/7.7_enable_firewall.cfg
Normal file
2
etc/conf.d/7.7_enable_firewall.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/8.0_install_auditd.cfg
Normal file
2
etc/conf.d/8.0_install_auditd.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
2
etc/conf.d/8.1.1.1_audit_log_storage.cfg
Normal file
2
etc/conf.d/8.1.1.1_audit_log_storage.cfg
Normal file
@ -0,0 +1,2 @@
|
||||
# Configuration for script of same name
|
||||
status=enabled
|
Loading…
Reference in New Issue
Block a user