From ccda7adb9339d17e249540ed1ccea1bb239a6d6f Mon Sep 17 00:00:00 2001
From: Kevin Tanguy <kevin.tanguy@ovh.net>
Date: Mon, 18 Apr 2016 17:14:56 +0200
Subject: [PATCH] Debianization time

---
 debian/changelog      |  13 +++
 debian/compat         |   1 +
 debian/conffiles      | 191 ++++++++++++++++++++++++++++++++++++++++++
 debian/control        |  15 ++++
 debian/default        |   5 ++
 debian/dirs           |   1 +
 debian/rules          |  39 +++++++++
 debian/source/options |   1 +
 8 files changed, 266 insertions(+)
 create mode 100644 debian/changelog
 create mode 100644 debian/compat
 create mode 100644 debian/conffiles
 create mode 100644 debian/control
 create mode 100644 debian/default
 create mode 100644 debian/dirs
 create mode 100755 debian/rules
 create mode 100644 debian/source/options

diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..789aed3
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,13 @@
+cis-hardening (1.0-2) wheezy; urgency=low
+
+  * add LICENSE
+  * duplicate README in /opt and /usr/share/doc
+  * patch conffiles for new correct configuration files names
+
+ -- Kevin Tanguy <kevin.tanguy@ovh.net>  Tue, 19 Apr 2016 14:31:03 +0200
+
+cis-hardening (1.0-1) stable; urgency=low
+
+  * Initial release.
+
+ -- Kevin Tanguy <kevin.tanguy@ovh.net>  Mon, 18 Apr 2016 17:13:07 +0200
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..45a4fb7
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+8
diff --git a/debian/conffiles b/debian/conffiles
new file mode 100644
index 0000000..1ebb809
--- /dev/null
+++ b/debian/conffiles
@@ -0,0 +1,191 @@
+opt/cis-hardening/etc/conf.d/1.1_install_updates.cfg
+opt/cis-hardening/etc/conf.d/2.1_tmp_partition.cfg
+opt/cis-hardening/etc/conf.d/2.2_tmp_nodev.cfg
+opt/cis-hardening/etc/conf.d/2.3_tmp_nosuid.cfg
+opt/cis-hardening/etc/conf.d/2.4_tmp_noexec.cfg
+opt/cis-hardening/etc/conf.d/2.5_var_partition.cfg
+opt/cis-hardening/etc/conf.d/2.6.1_var_tmp_partition.cfg
+opt/cis-hardening/etc/conf.d/2.6.2_var_tmp_nodev.cfg
+opt/cis-hardening/etc/conf.d/2.6.3_var_tmp_nosuid.cfg
+opt/cis-hardening/etc/conf.d/2.6.4_var_tmp_noexec.cfg
+opt/cis-hardening/etc/conf.d/2.7_var_log_partition.cfg
+opt/cis-hardening/etc/conf.d/2.8_var_log_audit_partition.cfg
+opt/cis-hardening/etc/conf.d/2.9_home_partition.cfg
+opt/cis-hardening/etc/conf.d/2.10_home_nodev.cfg
+opt/cis-hardening/etc/conf.d/2.11_removable_device_nodev.cfg
+opt/cis-hardening/etc/conf.d/2.12_removable_device_noexec.cfg
+opt/cis-hardening/etc/conf.d/2.13_removable_device_nosuid.cfg
+opt/cis-hardening/etc/conf.d/2.14_run_shm_nodev.cfg
+opt/cis-hardening/etc/conf.d/2.15_run_shm_nosuid.cfg
+opt/cis-hardening/etc/conf.d/2.16_run_shm_noexec.cfg
+opt/cis-hardening/etc/conf.d/2.17_sticky_bit_world_writable_folder.cfg
+opt/cis-hardening/etc/conf.d/2.18_disable_cramfs.cfg
+opt/cis-hardening/etc/conf.d/2.19_disable_freevxfs.cfg
+opt/cis-hardening/etc/conf.d/2.20_disable_jffs2.cfg
+opt/cis-hardening/etc/conf.d/2.21_disable_hfs.cfg
+opt/cis-hardening/etc/conf.d/2.22_disable_hfsplus.cfg
+opt/cis-hardening/etc/conf.d/2.23_disable_squashfs.cfg
+opt/cis-hardening/etc/conf.d/2.24_disable_udf.cfg
+opt/cis-hardening/etc/conf.d/2.25_disable_automounting.cfg
+opt/cis-hardening/etc/conf.d/3.1_bootloader_ownership.cfg
+opt/cis-hardening/etc/conf.d/3.2_bootloader_permissions.cfg
+opt/cis-hardening/etc/conf.d/3.3_bootloader_password.cfg
+opt/cis-hardening/etc/conf.d/3.4_root_password.cfg
+opt/cis-hardening/etc/conf.d/4.1_restrict_core_dumps.cfg
+opt/cis-hardening/etc/conf.d/4.2_enable_nx_support.cfg
+opt/cis-hardening/etc/conf.d/4.3_enable_randomized_vm_placement.cfg
+opt/cis-hardening/etc/conf.d/4.4_disable_prelink.cfg
+opt/cis-hardening/etc/conf.d/4.5_enable_apparmor.cfg
+opt/cis-hardening/etc/conf.d/5.1.1_disable_nis.cfg
+opt/cis-hardening/etc/conf.d/5.1.2_disable_rsh.cfg
+opt/cis-hardening/etc/conf.d/5.1.3_disable_rsh_client.cfg
+opt/cis-hardening/etc/conf.d/5.1.4_disable_talk.cfg
+opt/cis-hardening/etc/conf.d/5.1.5_disable_talk_client.cfg
+opt/cis-hardening/etc/conf.d/5.1.6_disable_telnet_server.cfg
+opt/cis-hardening/etc/conf.d/5.1.7_disable_tftp_server.cfg
+opt/cis-hardening/etc/conf.d/5.1.8_disable_inetd.cfg
+opt/cis-hardening/etc/conf.d/5.2_disable_chargen.cfg
+opt/cis-hardening/etc/conf.d/5.3_disable_daytime.cfg
+opt/cis-hardening/etc/conf.d/5.4_disable_echo.cfg
+opt/cis-hardening/etc/conf.d/5.5_disable_discard.cfg
+opt/cis-hardening/etc/conf.d/5.6_disable_time.cfg
+opt/cis-hardening/etc/conf.d/6.1_disable_xwindow_system.cfg
+opt/cis-hardening/etc/conf.d/6.2_disable_avahi_server.cfg
+opt/cis-hardening/etc/conf.d/6.3_disable_print_server.cfg
+opt/cis-hardening/etc/conf.d/6.4_disable_dhcp.cfg
+opt/cis-hardening/etc/conf.d/6.5_configure_ntp.cfg
+opt/cis-hardening/etc/conf.d/6.6_disable_ldap.cfg
+opt/cis-hardening/etc/conf.d/6.7_disable_nfs_rpc.cfg
+opt/cis-hardening/etc/conf.d/6.8_disable_dns_server.cfg
+opt/cis-hardening/etc/conf.d/6.9_disable_ftp.cfg
+opt/cis-hardening/etc/conf.d/6.10_disable_http_server.cfg
+opt/cis-hardening/etc/conf.d/6.11_disable_imap_pop.cfg
+opt/cis-hardening/etc/conf.d/6.12_disable_samba.cfg
+opt/cis-hardening/etc/conf.d/6.13_disable_http_proxy.cfg
+opt/cis-hardening/etc/conf.d/6.14_disable_snmp_server.cfg
+opt/cis-hardening/etc/conf.d/6.15_mta_localhost.cfg
+opt/cis-hardening/etc/conf.d/6.16_disable_rsync.cfg
+opt/cis-hardening/etc/conf.d/7.1.1_disable_ip_forwarding.cfg
+opt/cis-hardening/etc/conf.d/7.1.2_disable_send_packet_redirects.cfg
+opt/cis-hardening/etc/conf.d/7.2.1_disable_source_routed_packets.cfg
+opt/cis-hardening/etc/conf.d/7.2.2_disable_icmp_redirect.cfg
+opt/cis-hardening/etc/conf.d/7.2.3_disable_secure_icmp_redirect.cfg
+opt/cis-hardening/etc/conf.d/7.2.4_log_martian_packets.cfg
+opt/cis-hardening/etc/conf.d/7.2.5_ignore_broadcast_requests.cfg
+opt/cis-hardening/etc/conf.d/7.2.6_enable_bad_error_message_protection.cfg
+opt/cis-hardening/etc/conf.d/7.2.7_enable_source_route_validation.cfg
+opt/cis-hardening/etc/conf.d/7.2.8_enable_tcp_syn_cookies.cfg
+opt/cis-hardening/etc/conf.d/7.3.1_disable_ipv6_router_advertisement.cfg
+opt/cis-hardening/etc/conf.d/7.3.2_disable_ipv6_redirect.cfg
+opt/cis-hardening/etc/conf.d/7.3.3_disable_ipv6.cfg
+opt/cis-hardening/etc/conf.d/7.4.1_install_tcp_wrapper.cfg
+opt/cis-hardening/etc/conf.d/7.4.2_hosts_allow.cfg
+opt/cis-hardening/etc/conf.d/7.4.3_hosts_allow_permissions.cfg
+opt/cis-hardening/etc/conf.d/7.4.4_hosts_deny.cfg
+opt/cis-hardening/etc/conf.d/7.4.5_hosts_deny_permissions.cfg
+opt/cis-hardening/etc/conf.d/7.5.1_disable_dccp.cfg
+opt/cis-hardening/etc/conf.d/7.5.2_disable_sctp.cfg
+opt/cis-hardening/etc/conf.d/7.5.3_disable_rds.cfg
+opt/cis-hardening/etc/conf.d/7.5.4_disable_tipc.cfg
+opt/cis-hardening/etc/conf.d/7.6_disable_wireless.cfg
+opt/cis-hardening/etc/conf.d/7.7_enable_firewall.cfg
+opt/cis-hardening/etc/conf.d/8.0_enable_auditd_kernel.cfg
+opt/cis-hardening/etc/conf.d/8.1.1.1_audit_log_storage.cfg
+opt/cis-hardening/etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg
+opt/cis-hardening/etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg
+opt/cis-hardening/etc/conf.d/8.1.2_enable_auditd.cfg
+opt/cis-hardening/etc/conf.d/8.1.3_audit_bootloader.cfg
+opt/cis-hardening/etc/conf.d/8.1.4_record_date_time_edit.cfg
+opt/cis-hardening/etc/conf.d/8.1.5_record_user_group_edit.cfg
+opt/cis-hardening/etc/conf.d/8.1.6_record_network_edit.cfg
+opt/cis-hardening/etc/conf.d/8.1.7_record_mac_edit.cfg
+opt/cis-hardening/etc/conf.d/8.1.8_record_login_logout.cfg
+opt/cis-hardening/etc/conf.d/8.1.9_record_session_init.cfg
+opt/cis-hardening/etc/conf.d/8.1.10_record_dac_edit.cfg
+opt/cis-hardening/etc/conf.d/8.1.11_record_failed_access_file.cfg
+opt/cis-hardening/etc/conf.d/8.1.12_record_privileged_commands.cfg
+opt/cis-hardening/etc/conf.d/8.1.13_record_successful_mount.cfg
+opt/cis-hardening/etc/conf.d/8.1.14_record_file_deletions.cfg
+opt/cis-hardening/etc/conf.d/8.1.15_record_sudoers_edit.cfg
+opt/cis-hardening/etc/conf.d/8.1.16_record_sudo_usage.cfg
+opt/cis-hardening/etc/conf.d/8.1.17_record_kernel_modules.cfg
+opt/cis-hardening/etc/conf.d/8.1.18_freeze_auditd_conf.cfg
+opt/cis-hardening/etc/conf.d/8.2.1_install_syslog-ng.cfg
+opt/cis-hardening/etc/conf.d/8.2.2_enable_syslog-ng.cfg
+opt/cis-hardening/etc/conf.d/8.2.3_configure_syslog-ng.cfg
+opt/cis-hardening/etc/conf.d/8.2.4_set_logfile_perm.cfg
+opt/cis-hardening/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg
+opt/cis-hardening/etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg
+opt/cis-hardening/etc/conf.d/8.3.1_install_tripwire.cfg
+opt/cis-hardening/etc/conf.d/8.3.2_tripwire_cron.cfg
+opt/cis-hardening/etc/conf.d/8.4_configure_logrotate.cfg
+opt/cis-hardening/etc/conf.d/9.1.1_enable_cron.cfg
+opt/cis-hardening/etc/conf.d/9.1.2_crontab_perm_ownership.cfg
+opt/cis-hardening/etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg
+opt/cis-hardening/etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg
+opt/cis-hardening/etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg
+opt/cis-hardening/etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg
+opt/cis-hardening/etc/conf.d/9.1.7_cron_d_perm_ownership.cfg
+opt/cis-hardening/etc/conf.d/9.1.8_cron_users.cfg
+opt/cis-hardening/etc/conf.d/9.2.1_enable_cracklib.cfg
+opt/cis-hardening/etc/conf.d/9.2.2_enable_lockout_failed_password.cfg
+opt/cis-hardening/etc/conf.d/9.2.3_limit_password_reuse.cfg
+opt/cis-hardening/etc/conf.d/9.3.1_sshd_protocol.cfg
+opt/cis-hardening/etc/conf.d/9.3.2_sshd_loglevel.cfg
+opt/cis-hardening/etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg
+opt/cis-hardening/etc/conf.d/9.3.4_disable_x11_forwarding.cfg
+opt/cis-hardening/etc/conf.d/9.3.5_sshd_maxauthtries.cfg
+opt/cis-hardening/etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg
+opt/cis-hardening/etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg
+opt/cis-hardening/etc/conf.d/9.3.8_disable_root_login.cfg
+opt/cis-hardening/etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg
+opt/cis-hardening/etc/conf.d/9.3.10_disable_sshd_setenv.cfg
+opt/cis-hardening/etc/conf.d/9.3.11_sshd_ciphers.cfg
+opt/cis-hardening/etc/conf.d/9.3.12_sshd_idle_timeout.cfg
+opt/cis-hardening/etc/conf.d/9.3.13_sshd_limit_access.cfg
+opt/cis-hardening/etc/conf.d/9.3.14_ssh_banner.cfg
+opt/cis-hardening/etc/conf.d/9.4_secure_tty.cfg
+opt/cis-hardening/etc/conf.d/9.5_restrict_su.cfg
+opt/cis-hardening/etc/conf.d/10.1.1_set_password_exp_days.cfg
+opt/cis-hardening/etc/conf.d/10.1.2_set_password_min_days_change.cfg
+opt/cis-hardening/etc/conf.d/10.1.3_set_password_exp_warning_days.cfg
+opt/cis-hardening/etc/conf.d/10.2_disable_system_accounts.cfg
+opt/cis-hardening/etc/conf.d/10.3_default_root_group.cfg
+opt/cis-hardening/etc/conf.d/10.4_default_umask.cfg
+opt/cis-hardening/etc/conf.d/10.5_lock_inactive_user_account.cfg
+opt/cis-hardening/etc/conf.d/11.1_warning_banners.cfg
+opt/cis-hardening/etc/conf.d/11.2_remove_os_info_warning_banners.cfg
+opt/cis-hardening/etc/conf.d/11.3_graphical_warning_banners.cfg
+opt/cis-hardening/etc/conf.d/12.1_etc_passwd_permissions.cfg
+opt/cis-hardening/etc/conf.d/12.2_etc_shadow_permissions.cfg
+opt/cis-hardening/etc/conf.d/12.3_etc_group_permissions.cfg
+opt/cis-hardening/etc/conf.d/12.4_etc_passwd_ownership.cfg
+opt/cis-hardening/etc/conf.d/12.5_etc_shadow_ownership.cfg
+opt/cis-hardening/etc/conf.d/12.6_etc_group_ownership.cfg
+opt/cis-hardening/etc/conf.d/12.7_find_world_writable_file.cfg
+opt/cis-hardening/etc/conf.d/12.8_find_unowned_files.cfg
+opt/cis-hardening/etc/conf.d/12.9_find_ungrouped_files.cfg
+opt/cis-hardening/etc/conf.d/12.10_find_suid_files.cfg
+opt/cis-hardening/etc/conf.d/12.11_find_sgid_files.cfg
+opt/cis-hardening/etc/conf.d/13.1_remove_empty_password_field.cfg
+opt/cis-hardening/etc/conf.d/13.2_remove_legacy_passwd_entries.cfg
+opt/cis-hardening/etc/conf.d/13.3_remove_legacy_shadow_entries.cfg
+opt/cis-hardening/etc/conf.d/13.4_remove_legacy_group_entries.cfg
+opt/cis-hardening/etc/conf.d/13.5_find_0_uid_non_root_account.cfg
+opt/cis-hardening/etc/conf.d/13.6_sanitize_root_path.cfg
+opt/cis-hardening/etc/conf.d/13.7_check_user_dir_perm.cfg
+opt/cis-hardening/etc/conf.d/13.8_check_user_dot_file_perm.cfg
+opt/cis-hardening/etc/conf.d/13.9_set_perm_on_user_netrc.cfg
+opt/cis-hardening/etc/conf.d/13.10_find_user_rhosts_files.cfg
+opt/cis-hardening/etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg
+opt/cis-hardening/etc/conf.d/13.12_users_valid_homedir.cfg
+opt/cis-hardening/etc/conf.d/13.13_check_user_homedir_ownership.cfg
+opt/cis-hardening/etc/conf.d/13.14_check_duplicate_uid.cfg
+opt/cis-hardening/etc/conf.d/13.15_check_duplicate_gid.cfg
+opt/cis-hardening/etc/conf.d/13.16_check_duplicate_username.cfg
+opt/cis-hardening/etc/conf.d/13.17_check_duplicate_groupname.cfg
+opt/cis-hardening/etc/conf.d/13.18_find_user_netrc_files.cfg
+opt/cis-hardening/etc/conf.d/13.19_find_user_forward_files.cfg
+opt/cis-hardening/etc/conf.d/13.20_shadow_group_empty.cfg
+opt/cis-hardening/etc/conf.d/99.1_timeout_tty.cfg
+opt/cis-hardening/etc/conf.d/99.2_disable_usb_devices.cfg
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..1338daa
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,15 @@
+Source: cis-hardening
+Section: ovh
+Priority: extra
+Maintainer: Kevin Tanguy <kevin.tanguy@ovh.net>
+Build-Depends: debhelper (>= 8.0.0)
+Standards-Version: 3.9.3
+Homepage: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=debian7.100
+Vcs-Git: git@github.com:ovh/debian-cis.git
+Vcs-Browser: https://github.com/ovh/debian-cis/
+
+Package: cis-hardening
+Architecture: all
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Suite of configurable scripts to audit or harden a Debian Wheezy.
+
diff --git a/debian/default b/debian/default
new file mode 100644
index 0000000..242de44
--- /dev/null
+++ b/debian/default
@@ -0,0 +1,5 @@
+# Default file for CIS Debian hardenning scripts
+
+# Define here root directory for CIS debian hardenning scripts
+CIS_ROOT_DIR='/opt/cis-hardening'
+
diff --git a/debian/dirs b/debian/dirs
new file mode 100644
index 0000000..a460af4
--- /dev/null
+++ b/debian/dirs
@@ -0,0 +1 @@
+opt/cis-hardening/tmp/backups
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..e6bf01b
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,39 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+# vim: set noexpandtab:
+#
+# Sample debian/rules that uses debhelper.
+# This file was originally written by Joey Hess and Craig Small.
+# As a special exception, when this file is copied by dh-make into a
+# dh-make output file, you may use that output file without restriction.
+# This special exception was added by Craig Small in version 0.37 of dh-make.
+
+# Uncomment this to turn on verbose mode.
+export DH_VERBOSE=1
+
+PACKAGE = $(shell dh_listpackages)
+
+%:
+	dh $@
+
+override_dh_install:
+	dh_install
+	mkdir -p $(CURDIR)/debian/$(PACKAGE)/opt/$(PACKAGE)/
+	cp README $(CURDIR)/debian/$(PACKAGE)/opt/$(PACKAGE)/
+	cp -R bin $(CURDIR)/debian/$(PACKAGE)/opt/$(PACKAGE)/
+	# standard default global config file
+	mkdir -p $(CURDIR)/debian/$(PACKAGE)/etc/default/
+	cp etc/hardening.cfg $(CURDIR)/debian/$(PACKAGE)/etc/default/
+	# /!\ tag /opt/$(PACKAGE)/etc/conf.d/* as configuration files in conffiles
+	# (ls | sort -V | xargs -i echo opt/cis-hardening/etc/conf.d/{} -- without README)
+	cp -R etc $(CURDIR)/debian/$(PACKAGE)/opt/$(PACKAGE)/
+	cp -R lib $(CURDIR)/debian/$(PACKAGE)/opt/$(PACKAGE)/
+	# cleanup git stuff if any
+	find $(CURDIR)/debian/$(PACKAGE) -type f -name .gitignore -delete
+	
+
+override_dh_installdocs:
+	dh_installdocs
+	gzip -c LICENSE > $(CURDIR)/debian/$(PACKAGE)/usr/share/doc/$(PACKAGE)/LICENSE.gz
+	gzip -c README > $(CURDIR)/debian/$(PACKAGE)/usr/share/doc/$(PACKAGE)/README.gz
+	gzip -c src/skel > $(CURDIR)/debian/$(PACKAGE)/usr/share/doc/$(PACKAGE)/skel.gz
diff --git a/debian/source/options b/debian/source/options
new file mode 100644
index 0000000..45bef47
--- /dev/null
+++ b/debian/source/options
@@ -0,0 +1 @@
+tar-ignore = ".git*"